Someone gained access to Ecovacs Deebot X2 Omni robotic vacuums across several US cities earlier this year and used them to chase pets and yell racist slurs at their owners, reported ABC News in Australia this week.
The outlet spoke with multiple Deebot X2 owners who say their Deebot X2s had been hacked in May, including Minnesota lawyer Daniel Swenson, who said he was watching TV with his family when a noise âlike a broken-up radio signal or somethingâ started coming from the robotâs speaker. He said after he reset his password and rebooted the robot, it began again, only this time the sound was clearly a voice â he guessed a teenagerâs â yelling slurs.
ABC News lists other, similar accounts from owners in El Paso and Los Angeles, the latter of which involved someone using a Deebot to antagonize a dog, yelling at and chasing it.
Ecovacs told the outlet in a statement that it had âidentified a credential stuffing eventâ and blocked the IP address it originated from. The company said it âfound no evidenceâ that usernames and passwords were collected by the attacker.
Researchers demonstrated a flaw last year that let them bypass the Deebot X2âs PIN entry to gain access to the vacuum. Ecovacs says in its statement that it has resolved that, and that it also plans to âfurther enhance securityâ with an update in November. Itâs not clear whether that would correct a Bluetooth vulnerability that ABC News exploited for a report earlier this month.
Cloud-connected smart home devices have led to stories like this for years. Sometimes itâs the result of hacks, others simply compromised credentials. Sometimes, itâs bad software showing you another ownerâs camera feed, as a little treat. Issues like these can feel inevitable when so many smart home devices require a persistent internet connection to function, especially for those companies that donât offer easy ways to report security vulnerabilities.
Read the full article here
