Users of Ecovacs Deebot X2 robotic vacuum cleaners from several US cities reported that their devices were hacked. Hackers were able to control the devices, and through the speakers of the vacuum cleaners they broadcast racist insults, leaving owners shocked. These incidents exposed serious security vulnerabilities in modern smart devices and threatened user privacy.
Daniel Swenson, a lawyer from Minnesota, encountered problems with his robot vacuum cleaner when the device began making strange sounds that sounded like an intermittent radio signal. Looking at the Ecovacs mobile application, he saw that an unknown person had access to the robot’s camera and remote control functions. At first, Svenson thought it was just a technical glitch and changed the password by rebooting the device. However, the vacuum cleaner soon started moving again, and loud racist insults were heard from its speakers.
On May 24, a similar incident was recorded in Los Angeles. A hacked Ecovacs Deebot X2 robot vacuum cleaner began chasing its owners’ dog while hackers controlled the device from a distance and shouted insults through its speakers. Five days later, in El Paso, another Ecovacs robot vacuum cleaner was hacked and racist slurs were again heard from its speakers. The owner was forced to unplug the device to stop what was happening. The events that unfolded over the course of several days have caused alarm among users and cybersecurity experts.
Six months earlier, cybersecurity researchers warned Ecovacs about critical vulnerabilities in their devices. In particular, they discovered a problem with the wireless connection that allowed attackers to control vacuum cleaners from a distance of up to 100 meters. Despite these warnings, the company did not take the necessary measures, which led to massive hacks in May of this year.
Following the incident, Daniel Swanson contacted Ecovacs support, but his request was met with disbelief. A company representative asked several times whether there was video footage of the incident, although Swenson insisted that he was more concerned about the hack itself and the violation of confidentiality. This attitude made him wonder if the company was trying to hide the true extent of the problem.
In December 2023, security researchers Dennis Giese and Braelynn Luedtke publicly presented evidence of a PIN code vulnerability in Ecovacs robots. They emphasized that PIN code verification was performed only at the application level, and not at the server or device, which made it easy for attackers to bypass the protection of the smart vacuum cleaner. The company said that the vulnerability had been fixed, but experts believe that the measures taken were not enough.