Cybersecurity researchers have discovered critical vulnerabilities in popular Ecovacs robot vacuum cleaners (The vulnerability affects several popular Ecovacs models, including the Deebot 900 series, Deebot X1/X2, Deebot N8/T8, Goat G1 and Spybot Airbot Z1 ) that allow hackers to gain control of the devices , using them to spy on and stalk users.
At the DEF CON 32 conference, researchers Denis Giese and Braileen Luedtke presented research findings that point to serious safety issues in Ecovacs’ Deebot robot vacuums. The main vulnerabilities concern the Bluetooth connection and the PIN authentication system. A hacker can connect to the device from up to 130 meters away and bypass the weak PIN code to gain full control of the robot vacuum cleaner.
Once accessed, an attacker can activate the built-in camera and microphone, turning the device into a surveillance tool. Researchers have demonstrated the ability to disable the camera’s audio signal by manipulating audio files stored on the device, allowing hackers to conduct surveillance without alerting the owner. Hacked robot vacuums can stream video and audio through cloud services such as AWS Kinesis, allowing users to be monitored remotely.
Robot vacuum cleaners are now full-fledged Linux computers with cameras, microphones, LiDAR sensors and navigation systems with artificial intelligence. Being connected to a network makes such devices vulnerable to hacking and cyber attacks. Researchers warn that in the future hackers may develop special network worms that will automatically infect such devices.