After splurging on a high-end vacuum cleaner, Sean Kelly assumed he had made a shrewd investment.
Solely reliant on his Ecovacs Deebot X2, the device’s capabilities would enable him to effectively maintain the home shared with his spouse, twin toddlers, and five-month-old child; meanwhile, he felt reassured that the AU $2,500 (approximately US $1,600) investment would safeguard it from cyber threats.
Little did he realize that the seemingly innocuous cleaning device roaming freely around his home harbored a critical security vulnerability, rendering it susceptible to hacking, allowing unauthorized access to every conversation and transaction conducted within its purview.
But the vulnerability wasn’t just an abstract concept – it had been pragmatically exploited by renowned security expert Dennis Giese, who dedicated years to identifying vulnerabilities in robotic vacuum cleaners.
Researchers have discovered a vulnerability in Ecovacs’ robotic cleaning devices that enables remote exploitation via Bluetooth, granting unauthorized access to sensitive information and features including video feeds from the built-in camera and audio streams from the microphone.
As a seasoned safety expert, Giese promptly notified Ecovacs about the identified vulnerability. Despite being aware of the situation as of December 2023, the lingering safety gap remains unaddressed.
Without Kelly’s explicit consent, Australian TV producers allegedly tampered with the robotic vacuum.
While information reporters may not solely focus on Kelly making a cup of espresso in his fourth-floor office kitchen – his wife having prohibited the experiment at home due to understandable privacy concerns – they were also able to interview him.
A monotone greeting pierced the air: “Good day, Sean.” “I’m waaaatching you.”
The audio connection was facilitated remotely via Bluetooth technology. While the reporter hacking the robotic vacuum cleaner wasn’t in the same physical space or building, they were actually situated on ground level in a nearby park across the street.
Although this close proximity was necessary only for the initial Bluetooth hacking of the device. Once compromised, it may be managed from anywhere on the planet. Real-time photographs and audio were being transmitted from the United States to Germany, where they were relayed to Giese’s residence in Berlin.
Giese revealed that Ecovacs failed to respond to his December 2023 disclosure of safety vulnerabilities, which left him no choice but to publicly share specifics at a hacking convention in August. Initially, the company downplayed the issue, attempting to dismiss it by claiming the exploit required specialized hacking tools and physical access to the device.
While the demonstration didn’t necessitate extensive equipment, physical presence and direct visual observation were still essential components – and could potentially be accomplished using a reasonably priced smartphone.
EcoVacs has taken a more stringent approach, prioritizing user safety by rolling out software updates for select models, with the Deebot X2 slated to receive the update in November 2024.
It won’t arrive in time to meet the needs of some of its customers. Following the unsettling experience, Sean Kelly took matters personally to safeguard his family’s privacy from the intrusive robotic vacuum that had invaded their home.
“I’ve started keeping a small dishcloth over it when it’s not in use.”
