Someone gained access to Ecovacs Deebot X2 Omni robotic vacuum cleaners in several US cities earlier this year and used them to chase pets and shout racist insults at their owners. reported ABC News in Australia this week.
The outlet spoke to several Deebot X2 owners who say their Deebot interrupted or something.” from the robot's speaker. He said that after resetting his password and restarting the robot, it started again, only this time the sound was clearly a voice (he assumed that of a teenager) shouting insults.
ABC News lists other similar accounts from owners in El Paso and Los Angeles, the latter of which involved someone using a Deebot to antagonize a dog, yell at it, and chase it.
Ecovacs told the outlet in a statement that it had “identified a credential stuffing event” and blocked the IP address it originated from. The company said it found “no evidence” that the attacker collected usernames and passwords.
Researchers showed a defect last year that allowed them to bypass the Deebot X2's PIN entry to gain access to the vacuum. Ecovacs says in its statement that it has resolved that and also plans to “further improve safety” with an update in November. It's unclear if that would fix a Bluetooth vulnerability that ABC News exploited by a report earlier this month.
Cloud-connected smart home devices have spawned stories like this for years. Sometimes it is the result of hacks, other times it is simply compromised credentials. Sometimes, it's bad software that shows you another owner's camera, like a little gift. Issues like these may seem inevitable when so many smart home devices require a persistent Internet connection to function, especially for those companies that don't offer easy ways to report security vulnerabilities.
