Earlier this month, security researchers warned that Ecovacs vacuum cleaners and lawnmower robots had multiple security flaws that could allow hackers to spy on their owners through the devices' microphones and cameras.
At the time, Ecovax told TechCrunch that the researchers concluded the flaws they found were “highly rare in typical user environments and would require specialized hacking tools and physical access to the device.”
“Users can therefore rest assured that there is no need to be overly concerned about this,” the emailed statement said, declining to commit to fixing the vulnerabilities.
Two weeks later, Ecovacs changed its mind, telling researchers and TechCrunch that it did, in fact, plan to fix the bug.
“We conducted a thorough review and self-examination, which identified several areas for improvement,” Martin Marr, director of Ecovax's security committee, told TechCrunch in an email. “In response, we have initiated targeted improvements to address the issues identified.”
Contact Us Do you have more information about flaws in Ecovacs or other internet-connected home robots? You can securely contact Lorenzo Franceschi-Bicchierai from a non-work device on Signal (+1 917 257 1382), Telegram, Keybase @lorenzofb, or email. You can also contact TechCrunch via SecureDrop.
On August 10, security researchers Dennis Giese and Braelyn spoke about their work on Ecovacs' home robots at the annual Defcon hacking conference in Las Vegas. The pair said they analyzed 11 Ecovacs devices and found several flaws.
The most impactful vulnerability, they say, is that anyone with a smartphone could connect to an Ecovacs robot over Bluetooth from up to 450 feet away and control the device. Because the robots are connected to the internet via Wi-Fi, the flaw could allow hackers to monitor the robots from anywhere.
Other flaws, according to the researchers, included a bug that allowed users to access the robot vacuum even after they sold it and deleted their account, allowing them to spy on the vacuum's new owner.
In an email sent to Giese on August 16 and shared by TechCrunch, Ecovax's Ma said the researcher's talk at DEFCON “caught my interest.” As a result, Ma asked Ecovax's security team to retrieve the company's communications with the researcher, the email continued. Ma said the company “inadvertently overlooked” the researcher's email from December 2023.
“We have carefully considered the points raised in your previous email and during the Def Con 2024 demo, and have conducted thorough verification and self-inspection,” Ma said, adding that the company would fix the issues in two Ecovacs models – the Goat G1 and X1 – and the Ecovacs app.
“Your analysis is highly valued and appreciated by our technical team. Your insights are invaluable in protecting the security and integrity of our products and contribute greatly to the consumer electronics industry as a whole,” Ma wrote. “Ultimately, it is the average consumer who benefits most from your dedication.”