Hackers hijack Ecovacs robot vacuums to shout racial slurs and chase pets — what you need to know

News
By published

Robot vacuums were chasing pets and yelling obscenities

The Ecovacs Deebot X2
(Image credit: Ecovacs)

One of the handiest functions of smart home devices is the ability to check in on them remotely when you’re not at home. But remote access can create a significant security vulnerability, as demonstrated by a recent spate of hacks of a popular robot vacuum.

Over the space of a week in May, ABC News Australia reports, at least three Ecovacs Deebot X2 vacuums were hacked with reports of compromised robots in Minnesota, Texas and California. In each case, hackers were taking advantage of the onboard speaker, remote controls and camera to cause mischief. 

One of the victims, Minnesota lawyer Daniel Swenson, was innocently watching TV when his vacuum sprung to life, according to the report. “It sounded like a broken-up radio signal or something,” he explained. “You could hear snippets of maybe a voice.”

After logging into the app, Swenson observed that a stranger was using the live camera feed and remote control feature. He changed the password and rebooted the robot, but this didn’t solve the problem for long. The robot began moving again, with a voice shouting racial slurs from the speaker in front of the family gathered on the couch.

Either way, he turned the robot off and relegated it to the garage — alarmed at the possibilities available to bad actors, if the hackers hadn’t noisily announced their presence, with the robot previously living on the same floor as the master bedroom.

"Our youngest kids take showers in there," he said. "I just thought of it catching my kids or even me, you know, not dressed."

One known issue, exposed at a hacking conference back in 2023, was that the four-digit PIN protecting remote control and video was only checked by the app, rather than the robot itself or the server. 

In a statement to ABC News [PDF], Ecovacs stated that this specific issue had been “resolved” and that another OTA firmware update will arrive “in the second week of November 2024” to “further enhance security.” 

The company added that while there was “no evidence to suggest that any usernames and passwords were obtained by unauthorized third parties as a result of any breach of Ecovacs’ systems,” it had noticed “significantly more attempts to log-in than the average daily amount, by a factor of 90:1”. As these all came from the same “unusual” device and location, the attached IP address was “immediately blocked.” 

“Ecovacs has always prioritised product and data security, as well as the protection of consumer privacy,” the company concludes. “We assure customers that our existing products offer a high level of security in daily life, and that consumers can confidently use Ecovacs products.”

Alan Martin
Alan Martin

Freelance contributor Alan has been writing about tech for over a decade, covering phones, drones and everything in between. Previously Deputy Editor of tech site Alphr, his words are found all over the web and in the occasional magazine too. When not weighing up the pros and cons of the latest smartwatch, you'll probably find him tackling his ever-growing games backlog. He also handles all the Wordle coverage on Tom's Guide and has been playing the addictive NYT game for the last several years in an effort to keep his streak forever intact.