Ecovacs Promises to Rectify Flaws That Could Allow for Surveillance of Robot Users

In the early days of the month, security specialists alerted the public to multiple vulnerabilities within Ecovacs’ robot vacuum and lawn mower units, which could potentially enable attackers to eavesdrop on homeowners via the built-in microphones and cameras.

Initially, Ecovacs communicated to TechCrunch that the vulnerabilities identified by these experts “are uncommon in the environments of most users and necessitate both specialized hacking tools and direct physical interaction with the device.”

“As a result, we assure our users there is no significant reason for concern,” the company responded through an email, opting not to pledge an immediate remedy for these security lapses.

However, after a fortnight, Ecovacs revisited its stance, informing both the investigative team and TechCrunch of its decision to address and rectify the detected issues.

“Upon a thorough assessment and introspection, we recognized several aspects needing enhancements,” Martin Ma, spokesperson for Ecovacs’ security team, shared with TechCrunch. “Consequently, we have embarked on specific improvements targeting the flagged concerns,” he added.

On August 10, investigators Dennis Giese and Braelynn presented their findings on Ecovacs’ domestic robots during the annual Def Con hacking congress in Las Vegas. Their examination of 11 Ecovacs models unveiled numerous security shortcomings.

They highlighted a critical flaw allowing unauthorized control over the robots to anyone connecting via Bluetooth within a 450 feet radius — approximately 130 meters. This vulnerability could enable attackers to remotely oversee the device’s actions over the internet through its Wi-Fi connectivity.

Additional vulnerabilities include a glitch that could permit former owners to access the robot vacuum, even after selling it and deleting their account, thereby spying on the new owners, the researchers explained.

In a communication to Giese dated August 16, which was shared with TechCrunch, Ma from Ecovacs noted that the Def Con presentation had caught his attention. He mentioned he prompted the Ecovacs security department to review previous correspondences from December 2023 that they had missed.

“After a detailed examination of your previously raised concerns and the demonstrations at Def Con 2024, we’ve undertaken an exhaustive review and self-assessment,” Ma communicated, stating the company’s commitment to resolving issues within two of its models — the Goat G1 and the X1 — as well as in the Ecovacs application.

“Your detailed scrutiny has been highly esteemed and valued by our technical division. Your contributions are vital in protecting the security and integrity of our product lines, thereby enhancing the consumer electronics sector at large,” Ma expressed. “Ultimately, it’s the end-users who stand to gain the most from your efforts.”