Ecovacs robot vacuums can be hijacked remotely to spy on you
Ecovacs robot vacuums have severe Bluetooth vulnerabilities that let hackers remotely spy on users and propagate attacks to other devices.
Ecovacs robot vacuums and mowers possess significant Bluetooth security flaws that let hackers take control of the devices within a 450-foot range. These vulnerabilities enable unauthorized access to the robots' cameras, microphones, Wi-Fi credentials, and stored room maps, potentially allowing extensive monitoring of users' private spaces.
Once hijacked, the compromised robots can connect to a command-and-control server over the internet, granting the attacker remote control capabilities. Alarmingly, the hacked devices can even propagate the infection to nearby Ecovacs robots without triggering any warning indicators or lights, although some models have easily disabled audio alerts.
Security researchers Dennis Giese and Braelynn highlighted these issues and noted that user data and authentication tokens could remain on the company's cloud servers even after account deletion. Despite attempting responsible disclosure, they received no feedback from Ecovacs, leaving these vulnerabilities open to exploitation as of August 9.