In a bizarre and troubling series of events, robot vacuums from the Chinese company Ecovacs have been hacked in several U.S. cities, with the devices unleashing racial slurs at their owners.
The affected models, specifically the Deebot X2, were compromised due to well-known security flaws, raising serious questions about the company’s cybersecurity practices.
The hacks enabled attackers to control the vacuums’ movements and use their speakers to emit offensive language.
For instance, in Minnesota, lawyer Daniel Swenson first noticed strange noises from his vacuum, which escalated to racial slurs directed at his family. In Los Angeles, one vacuum even chased a dog while hurling insults, and a similar incident occurred in El Paso.
The main vulnerability stems from Ecovacs’ faulty Bluetooth system and inadequate PIN code protection, issues previously flagged by cybersecurity researchers. Despite these warnings, the company had not fully resolved the problems.
Researchers demonstrated that hackers could bypass the PIN system meant to protect the vacuum’s camera and remote controls, leaving the devices susceptible to malicious attacks.
Swenson reported his experience to Ecovacs, initially facing skepticism from customer support. Eventually, the company acknowledged that his account had been compromised through “credential stuffing,” a technique where stolen usernames and passwords from previous breaches are reused.
Although Ecovacs conducted a security investigation and blocked the hacker’s IP address, concerns about the overall safety of their devices persist. While the company claims to have fixed the PIN flaw, cybersecurity experts warn that the solution may not be adequate.
Ecovacs has promised a security upgrade for its X2 series in November, but many customers remain apprehensive about their compromised devices. These incidents underscore significant security gaps in smart home technology, posing risks of privacy invasion and harmful behavior when control falls into the wrong hands.
