Robot vacuums in multiple US cities were hacked in the space of a few days, with the attacker physically controlling them and yelling obscenities through their onboard speakers.
The affected robots were all Chinese-made Ecovacs Deebot X2s — the exact model that the ABC was able to hack into as proof of a critical security flaw.
Minnesota lawyer Daniel Swenson was watching TV when his robot started to malfunction.
"It sounded like a broken-up radio signal or something," he told the ABC. "You could hear snippets of maybe a voice."
Through the Ecovacs app, he saw that a stranger was accessing its live camera feed and remote control feature.
Dismissing it as some kind of glitch, Mr Swenson reset his password, rebooted the robot and sat back down on the couch beside his wife and 13-year-old son.
Almost straight away, it started to move again.
This time, there was no ambiguity about what was coming out of the speaker. A voice was yelling racist obscenities, loud and clear, right in front of Mr Swenson's son.
"F*** n******s," screamed the voice, over and over again.
"I got the impression it was a kid, maybe a teenager [speaking]," said Swenson. "Maybe they were just jumping from device to device messing with families."
The second time around, he turned it off.
It could have been worse
Mr Swenson kept his robot vacuum on the same floor as the family's master bathroom.
"Our youngest kids take showers in there," he said. "I just thought of it catching my kids or even me, you know, not dressed."
Despite the slurs, Mr Swenson was glad that the hackers had announced their presence so loudly.
It would have been much worse, he said, if they had decided to quietly observe his family inside their home.
They could've peered through his robot's camera, and listened through the microphone, without him having the slightest clue.
"It was shock," he said. "And then it was like almost fear, disgust."
While his son didn't quite grasp the "creepiness" of the encounter, Mr Swenson was taking no chances.
He took the device to the garage, and never switched it on again.
Robots hacked in multiple cities
Multiple people, all based in the US, have reported similar hacking incidents within days of each other.
On May 24, the same day that Mr Swenson's device was hacked, a Deebot X2 went rogue, and chased its owner's dog around their Los Angeles home.
The robot was being steered from afar, with abusive comments coming through the speakers.
Five days later, another device was infiltrated.
Late at night, an Ecovacs robot in El Paso started spewing racial slurs at its owner until he unplugged it.
It is unclear how many of the company's devices were hacked in total.
Six months earlier, security researchers had attempted to notify Ecovacs of significant security flaws in its robot vacuums and the app that controls them.
The most severe was a flaw in the Bluetooth connector, which allowed complete access to the Ecovacs X2 from over 100 metres away.
Given the distributed nature of the attacks, this vulnerability is unlikely to have been exploited in this case.
The PIN code system protecting the robot's video feed — and remote control feature — was also known to be faulty, and the warning sound that is meant to play when the camera is being watched was able to be disabled from afar.
These security issues could explain how attackers took control of multiple robots in separate locations, and how they could've silently surveilled their victims once they'd gotten in.
Know something about Ecovacs' security problems? Drop me a line at secure@jtfell.com. (PGP Key is available on ).
Ecovacs confirms cyber attack on device
In the days following the incidents with his Ecovacs robot vacuum, Daniel Swenson made a complaint to the company.
After some back and forwards with support staff, he received a call from a senior Ecovacs employee based in the US.
"He must've said three or four times that I should have a video of what happened.
"Each time I told him: 'yeah, that would be great, but I was more focused on the fact that a hacked robot was in the middle of my living room watching us and possibly recording us'."
The employee seemed to disbelieve what he was saying, Mr Swenson says, despite multiple other owners having reported similar attacks around the same time.
"Was this an effort to discourage me from pursuing my complaints?" he asks.
Following this call, he was informed that a "security investigation" had been conducted.
"Your Ecovacs account and its password have been acquired by an unauthorised person," a company representative told him via email.
They also said the company's technical team had identified the culprit's IP address, and disabled it to prevent further access.
In a later email, they told him there was "a high possibility that your Ecovacs account was affected by a 'credential stuffing' cyberattack."
This is when someone re-uses the same username and password on multiple websites, and the combination is stolen in a separate cyber attack.
The company told the ABC it "found no evidence" that the accounts were hacked through "any breach of Ecovacs' systems".
Known security flaw could be to blame
Even if Mr Swenson had used the same username and password on other sites, and if those credentials had been leaked online, that still should not have been enough to access the video feed or to control the robot remotely.
These features are supposed to be protected by a four-digit PIN.
However, a pair of cybersecurity researchers had revealed that it could be bypassed at a hacking conference back in December 2023.
Dennis Giese and Braelynn Luedtke said on stage that it was based on an "honour system".
The PIN code was only checked by the app, rather than by the server or robot. Which means that anyone with the technical know-how could bypass the check completely.
They had warned Ecovacs about the problem ahead of going public with the exploit.
An Ecovacs spokesperson said this flaw has now been fixed, however Mr Giese told the ABC that the company's fix was insufficient to plug the security hole.
The spokesperson also said the company "sent a prompt email" instructing customers to change their passwords following the incident.
Ecovacs said it would issue a security upgrade for owners of its X2 series in November.
Mr Swenson said that he was not informed of the PIN code issue in any of his communications with Ecovacs.
"I asked them if this was a known thing," he said. "If it had happened to other people."
"They just act shocked – like it hadn't happened."
Read the full statement from Ecovacs (PDF download).
