Malicious hackers can take over control of vacuum and lawn mower robots made by Ecovacs to spy on their owners using the devices’ cameras and microphones, new research has found.
Security researchers Dennis Giese and Braelynn are due to speak at the Def Con hacking conference on Saturday detailing their research into Ecovacs robots. When they analyzed several Ecovacs products, the two researchers found a number of issues that can be abused to hack the robots via Bluetooth and surreptitiously switch on microphones and cameras remotely.
“Their security was really, really, really, really bad,” Giese told TechCrunch in an interview ahead of the talk.
The researchers said they reached out to Ecovacs to report the vulnerabilities but never heard back from the company, and believe the vulnerabilities are still not fixed and could be exploited by hackers.
Ecovacs app is garbage and has not improved much in years so this doesn’t surprise me.
As a note, Dennis Giese —who is the co-author of the Defcon talk mentioned in the article— is also the author of Dustcloud, which is used as the basis of Valetudo. Though I’m not aware that Valetudo will ever support Ecovacs robots.
It might now.
AFAIK Hypfer (Valetudo maintainer) has no intention to support new robots other than Dreame
You had better read their list of supported devices instead of saying such a …
I meant add support to new robots other than Dreame. On Telegram he explicitly said he won’t support any new Roborock nor Ecovacs
hackers can take over control of vacuum and lawn mower robots made by Ecovacs to spy on their owners using the devices’ cameras and microphones
Honestly, did anyone believe that this wouldn’t happen, sooner or later?
When I bought me such a device, I made sure that I would be able to install a cloud-free firmware on it. First thing. Before I wanted to use it at all.
What did you end up using?
Dreame D10S Plus with Valetudo.
Commanding it from Home Assistant.
This is incredible. I mean it’s dystopian and bad… But it’s also cyberpunk as fuck.
cyberpunk is supposed to be dystopian…
For some robtos there seems to be a self hosted version of the servers available. Though I haven’t found the actual installation guide yet.
Good to know.
But does it disable these current security holes?
I can’t tell for sure, but IMO it’s pretty secure when you can block internet access for the robots as a whole.
Well, they refuse to work… :)
and no, maybe it is not secure even then, since the current attack goes by bluetooth
There’s S in IOT that stands for security