Malicious hackers can take over control of vacuum and lawn mower robots made by Ecovacs to spy on their owners using the devices’ cameras and microphones, new research has found.

Security researchers Dennis Giese and Braelynn are due to speak at the Def Con hacking conference on Saturday detailing their research into Ecovacs robots. When they analyzed several Ecovacs products, the two researchers found a number of issues that can be abused to hack the robots via Bluetooth and surreptitiously switch on microphones and cameras remotely.

“Their security was really, really, really, really bad,” Giese told TechCrunch in an interview ahead of the talk.

The researchers said they reached out to Ecovacs to report the vulnerabilities but never heard back from the company, and believe the vulnerabilities are still not fixed and could be exploited by hackers.

  • Ravi@feddit.org
    link
    fedilink
    English
    arrow-up
    1
    ·
    3 months ago

    For some robtos there seems to be a self hosted version of the servers available. Though I haven’t found the actual installation guide yet.

    Reference

      • Ravi@feddit.org
        link
        fedilink
        English
        arrow-up
        0
        ·
        3 months ago

        I can’t tell for sure, but IMO it’s pretty secure when you can block internet access for the robots as a whole.

        • NeoNachtwaechter@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          3 months ago

          Well, they refuse to work… :)

          and no, maybe it is not secure even then, since the current attack goes by bluetooth

  • zaphod@sopuli.xyz
    link
    fedilink
    English
    arrow-up
    0
    ·
    3 months ago

    Am I the only one who thinks vacuums, washing machines, fridges and so on shouldn’t be connected to the internet?

    • Lifecoach5000@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      3 months ago

      I’m not super happy about it, but my roomba is absolutely essential now that I’ve been spoiled with it. I don’t like the idea of any of my appliances being online straight tied to a vendor’s app and service - but I’m willing to accept the trade off in this instance. Maybe someday I’ll upgrade to a different robot vac. I know there are FOSS setups to work around some of those challenges and circumvent some of the BS.

    • GreyEyedGhost@lemmy.ca
      link
      fedilink
      English
      arrow-up
      0
      ·
      3 months ago

      I don’t disagree, but I think automation is cool, especially if you can keep it local (or have the tools to secure it on the internet). Valetudo can help make that possible. My current robot vacuum is pretty crappy, but it doesn’t have cameras or mapping. My next will be one that has mapping and can be easily flashed with local hosting.

      • MrPoopbutt@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        ·
        3 months ago

        Flashing a dreame L10s was difficult but worth it. I’d recommend it if you have the expertise. I did end up having to buy a USB breakout board from eBay, though.

  • NeoNachtwaechter@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    3 months ago

    hackers can take over control of vacuum and lawn mower robots made by Ecovacs to spy on their owners using the devices’ cameras and microphones

    Honestly, did anyone believe that this wouldn’t happen, sooner or later?

    When I bought me such a device, I made sure that I would be able to install a cloud-free firmware on it. First thing. Before I wanted to use it at all.