Hackers hijack robot vacuums in multiple US cities, here’s what happened next

Multiple Ecovacs Deebot X2 robot vacuums in US cities were recently hacked. This allowed attackers to remotely control the devices and broadcast racial slurs through their built-in speakers. This incident follows a report by the ABC, which demonstrated a critical security flaw in the Chinese-made robot vacuum model. The hackers exploited this vulnerability to gain unauthorised access to the Deebot X2s, enabling them to manipulate the vacuums' movements and utilise the speakers for malicious purposes.

"It sounded like a broken-up radio signal or something. You could hear snippets of maybe a voice,” Minnesota lawyer Daniel Swenson said to ABC News. He said was watching TV when his robot vacuum started to malfunction.
After resetting the device, the vacuum began moving on its own and broadcasting racist slurs through its speaker, exposing the family to hateful content. This incident highlights the serious privacy and security risks associated with smart home devices.
"I got the impression it was a kid, maybe a teenager [speaking]. Maybe they were just jumping from device to device messing with families,” Swenson said.
He also added that it could have been much worse as the attackers could’ve decided to quietly observe his family inside their home. The hackers could have easily spied on the family through the compromised robot vacuum, accessing its camera and microphone without their knowledge or consent. Finally, the device was taken to the garage and wasn’t switched on again.

Multiple Ecovacs Deebot X2 robot vacuums in the US were reportedly hacked within days of each other. The attackers remotely controlled the vacuums, harassed pets, and yelled racist slurs through the speakers. These incidents follow an ABC News report that revealed security flaws in the Deebot X2, including a faulty PIN code system and the ability to disable the camera warning sound. Hackers could potentially access the camera and microphone without the owner's knowledge.

Despite multiple reports of similar incidents, Ecovacs initially appeared dismissive of Daniel Swenson's complaint about his hacked robot vacuum. The company later conducted a "security investigation" and claimed that Swenson's account was likely compromised through a "credential stuffing" attack, where login credentials reused across multiple websites are stolen from a different platform. Ecovacs maintains that there is no evidence of a breach within their systems.