Ecovacs says it will fix bugs that can be abused to spy on robot owners
Earlier this month, security researchers warned that a series of security flaws in vacuum and lawn mower robots made by Ecovacs could allow hackers to spy on their owners through the devices’ microphones and cameras.
At the time, Ecovacs told TechCrunch it concluded that the flaws found by the researchers “are extremely rare in typical user environments and require specialized hacking tools and physical access to the device.”
“Therefore, users can rest assured that they do not need to worry excessively about this,” read the emailed statement, declining to commit to fixing the vulnerabilities.
Two weeks later, Ecovacs changed its mind, telling the researchers and TechCrunch that, actually, the company will fix the bugs.
“We have conducted an in-depth verification and self-examination. We have identified several areas where there is room for improvement,” Martin Ma, the director of Ecovacs’ security committee, told TechCrunch in an email. “In response, we have initiated targeted improvements and addressing the issues highlighted.”
Contact Us
Do you have more information about flaws in Ecovacs or other internet-connected home robots? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email. You also can contact TechCrunch via SecureDrop.
On August 10, security researchers Dennis Giese and Braelynn gave a talk about their research into Ecovacs’ home robots at the annual hacking Def Con conference in Las Vegas. The two said they analyzed 11 Ecovacs devices and found several flaws.
The most impactful vulnerability, they said, allows anyone using a phone to connect to an Ecovacs robot via Bluetooth from as far as 450 feet — around 130 meters — and take control of the devices. That flaw would then let the hackers monitor the robots from anywhere because the robots are connected to the internet via Wi-Fi.
Other flaws included a bug that would allow someone to access a robot vacuum after selling it and deleting their account, meaning they could then spy on a device’s new owners, according to the researchers.
In an email to Giese on August 16 and shared with TechCrunch, Ecovacs’ Ma mentioned that the researchers’ talk at Def Con “has captured my attention.” That’s why, the email continued, Ma asked the Ecovacs security team to retrieve the correspondence the company had with the researchers. Ma said that the company “inadvertently overlooked” the researchers’ emails from December 2023.
“We have carefully reviewed your points raised in the previous emails and the Demos at Def Con 2024, and conducted an in-depth verification and self-examination,” Ma said, adding that the company will fix issues in two Ecovacs models — the Goat G1 and the X1 — and in the Ecovacs app.
“Your analysis has been greatly valued and appraised by our technical team. Your insights are invaluable in safeguarding the security and integrity of our products, and they contribute significantly to the consumer electronics industry as a whole,” Ma wrote. “Ultimately, it is the general consumers who will benefit most from your dedication.”