Home Invasion: Hackers Take Control of Robot Vacuums Across the U.S

In recent days, robot vacuum cleaners have been hacked across the United States, as reported by ABC News. Hackers not only gained control over the devices but also used their speakers to issue offensive and racist remarks directed at nearby individuals.

All the compromised devices are Chinese-manufactured Ecovacs Deebot X2s, which have already garnered attention due to a security vulnerability. This model line is notorious for a critical flaw, making it an easy target for malicious actors. For instance, ABC News journalists demonstrated how full access could be obtained to the device’s camera and other functions.

One victim of these attacks, Minnesota attorney Daniel Swenson, recounted that he was watching television when the robot began emitting strange noises, reminiscent of radio interference. Through the mobile app, Swenson saw that an unknown individual had accessed the vacuum’s camera and remote control features. Attempts to change the password and reboot the device led to further malfunctions—the robot resumed moving on its own, and its speakers began broadcasting a human voice hurling racist slurs directly in front of Swenson’s son.

Similar incidents occurred in Los Angeles and El Paso, where the robots also exhibited erratic behavior, such as chasing pets and using their speakers for verbal abuse. The full extent of the hack remains unclear.

The root of the problem lies in a vulnerability that allows hackers to bypass the mandatory four-digit PIN required to control the device. This flaw was discovered as early as December 2023. Additionally, the robots have a Bluetooth vulnerability that enables full access from up to 300 meters away, though this mechanism does not explain the widespread attacks across the country.

Ecovacs has announced that a security update is scheduled for release in November 2024, which is expected to address this vulnerability.