Hackers hijack cleaning robots: Racial slurs and security flaws exposed

In several cities across the USA, hackers have taken control of cleaning robots, targeting one popular model of the device.

Within a few days, cleaning robots in many American cities were hacked. The hackers took control of their movements and caused the devices to emit obscene words through the built-in speakers. Additionally, they gained full access to the cameras with which the vacuuming robots are equipped.

According to the portal abc.net.au, all hacked devices are of one specific model: the Ecovacs Deebot X2. Daniel Swenson, a lawyer from Minnesota, whose vacuum was one of those taken over by unknown perpetrators, recounted the hacking incident to Australian television ABC.

Swenson was watching television when he heard strange noises. He recalled, "It sounded like a disrupted radio signal or something like that. You could hear snippets of what sounded like a voice." Through the Ecovacs app, the lawyer noticed an issue with access to the live camera feed and remote control of the vacuum. Assuming it was a glitch, Swenson reset the password, restarted the robot, and sat back on the couch next to his wife and 13-year-old son.

Almost immediately, the vacuum started moving again. This time, there was no doubt about what was coming out of the speaker. The voice shouted racist insults, loudly and clearly, repeatedly yelling, [the slurs]" Swenson said, "It seemed to me that the voice belonged to a kid, maybe a teenager." The lawyer immediately turned off the robot completely. He emphasized feeling relieved that the hackers loudly announced their presence instead of discreetly recording camera footage. It's unclear how many robots were hacked in total, though ABC reported on several incidents in various cities.

When Swenson filed a complaint with the manufacturer, they informed him, "An unauthorized person has taken over Your Ecovacs account and its password." The company assured him that the perpetrator's IP was tracked and blocked. Swenson decided not to risk reconnecting the robot, which has been gathering dust in the garage since the incident. In a later email, the manufacturer informed him that there is a "high probability that your Ecovacs account was affected by a credential stuffing cyberattack." This occurs when someone reuses the same username and password on multiple websites, and this combination is stolen in a cyberattack.

Ecovacs had already been aware of digital security flaws in this model of vacuum. On October 3, ABC published a report in which, without entering the home of an informed viewer, they took control of their robot and recorded everything happening in the kitchen. In a media statement, Ecovacs announced that in November they would release a security update for owners of the X2 series.