Cybersecurity researchers Dennis Giese and Braelynn have discovered critical vulnerabilities in Ecovacs robot vacuums and lawn mowers which could allow hackers to take over these IoT devices. By using its cameras and microphones, they can potentially spy on their owners. This has raised significant concerns about the security of AI-powered devices.
At DEFCON Conference, these experts reported that during their research, they discovered several flaws such as broken crypto, missing TLS certificate verification, honor-system based ACLs, lots of RCEs, broken factory resets and unauthorized live camera access.
Hereโs a breakdown of these flaws:
- A major flaw is that threat actors can exploit Bluetooth connections to take control of an Ecovacs robot even from 450 feet (130 meters) away. Once connected, hackers can access the robot remotely through its Wi-Fi connection, thereby breaching the home ownerโs network.
- The Lawn mower robots have a feature that maintains Bluetooth connectivity at all times. The Vacuum robots enable Bluetooth for 20 minutes when turned on and once daily during automatic reboots, which widens the attack surface.
- A serious design error with these devices is that they lack hardware indicators to signal when the cameras or microphones are on. Although, in some models, an audio file is played every five minutes to indicate a camera is active, however, hackers can easily disable this feature.
- Another data privacy concern is that users’ data and authentication tokens remain on Ecovacs’ cloud servers even after they have deleted the account. Data protection becomes a challenge as hackers can get access to secondhand devices.
- There is also a weak anti-theft measure as the PINs for the lawn mowers are stored in plaintext within the device, making them easy to bypass.
Initially, Ecovacs dismissed these concerns, stating to TechCrunch that the flaws found by the researchers are extremely rare in typical user environments and require specialized hacking tools and physical access to the device. They assured users that they do not need to worry about this. However, after two weeks and proper verification and self-examination, they committed to fixing these issues in the Goat G1 and X1 models, as well as the Ecovacs app.
With AI-powered devices becoming a part of many modern homes, consumers of IoT devices have to be vigilant and informed about the devices they purchase. A tool meant to make life easier, can potentially be a source of a security breach. It’s important that users ensure their devices are updated with the latest security patches and that they maintain best security practices. These findings highlight the urgent need for companies to improve the security measures in their smart home devices. They should ensure they take swift action whenever vulnerabilities are discovered and disclosed to them.