Hackers Take Control of Ecovacs Robot Vacuums, Harass Owners and Pets

In May 2024, a series of cyberattacks targeted Ecovacs Deebot X2 robot vacuums in several U.S. cities. Hackers exploited vulnerabilities to remotely control the devices, access their cameras and speakers, insult owners, and even chase household pets. According to ABC News Australia, one victim was Daniel Swenson, an attorney from Minnesota. Swenson recounted that while watching TV with his family, their robot vacuum began making strange noises, similar to a broken radio.

Upon checking the app, Swenson discovered that an unknown person was remotely controlling the vacuum and watching through its camera. Attempts to reset the password and reboot the device failed; soon after, the vacuum reactivated, and a human voice began shouting racist insults at Swenson and his 13-year-old son. Swenson believes the attacker was likely a teenager switching between devices to harass people for fun.

Ultimately, Swenson had to unplug the vacuum and put it away. He noted that the device had previously operated on the same floor as the master bedroom. “Our younger kids shower there,” Swenson explained. “I just thought, what if it caught my kids or even me when we weren’t dressed?” He added that the situation could have been much worse if the hackers had chosen to quietly spy on his family instead of making their presence obvious.

Similar Incidents and Security Concerns

Other attacks on Ecovacs vacuums were reported in Los Angeles and El Paso within days. In Los Angeles, a robot vacuum chased a dog while the hacker shouted insults through the speaker. In El Paso, the device was used to broadcast racist statements until the owner disconnected it. The total number of affected Ecovacs devices remains unclear.

Last year, cybersecurity researchers discovered a vulnerability in Ecovacs robot vacuums that allowed attackers to bypass the PIN code on Deebot X2 models, granting full control over the device, including camera access and remote management. Experts discussed this issue at the Chaos Communication Congress. More recently, ABC reported another bug in Ecovacs devices related to Bluetooth, but this flaw only works within about 100 meters of the vacuum and is likely unrelated to the remote attacks described above.

Ecovacs representatives assured the media that the vulnerability affecting X2 series vacuums has been fixed. An additional firmware update to “further enhance security” is scheduled for mid-November 2024. The company emphasized that “there is no evidence that usernames or passwords were obtained by unauthorized third parties as a result of a compromise of Ecovacs systems.” However, during the investigation, a large number of suspicious login attempts—about 90 times the usual rate—were detected, all originating from the same unusual device and location. The company “immediately blocked” this IP address.

User Criticism and Ongoing Issues

Despite these assurances, affected users have criticized Ecovacs for a slow response. Swenson told reporters that Ecovacs support initially did not believe his claim that someone had hacked his vacuum and was shouting insults. The company asked if he had video evidence, even though other users had already reported similar incidents. Later, support staff suggested that hackers may have accessed his device through a credential stuffing attack, where stolen credentials from one site are used to access accounts on another. Swenson was eventually informed that “the Ecovacs account and its password were obtained by an unauthorized person.” However, this alone should not have been enough to fully compromise the vacuum, which is also protected by a PIN code.

Notably, the researchers who originally discovered the PIN code vulnerability and presented it at CCC told ABC journalists that Ecovacs has still not completely fixed the issue.