Becoming Invisible, Part 15: Don't Let Roomba See You Hide Your Gold
Time for homes to go old-school...
Yes, your new car tracks your location and records your conversations. Your smart speaker listens to and records your conversations. Your TV watches you while you watch it. Virtually every new device we install in our increasingly high-tech homes collects data and (at least potentially) sends it to criminals, corporations, and/or governments to use however they like.
But vacuum clearers. Really? Yep, that funny little disc that trundles around our floors, picking up dust and scaring our pets, can now spy on us. Consider this from online privacy company Malwarebytes:
Robot vacuum cleaners hacked to spy on, insult owners
Multiple robot vacuum cleaners in the US were hacked to yell obscenities and insults through the onboard speakers.
ABC news was able to confirm reports of this hack in robot vacuum cleaners of the type Ecovacs Deebot X2, which are manufactured in China. Ecovacs is considered the leading service robotics brand, and is a market leader in robot vacuums.
One of the victims, Minnesota lawyer Daniel Swenson, said he heard sound snippets that seemed similar to a voice coming from his vacuum cleaner. Through the Ecovacs app, he then saw someone not in his household accessing the live camera feed of the vacuum, as well as the remote control feature.
Thinking it was a glitch, he rebooted the vacuum cleaner and reset the password, just to be on the safe side. But that didn’t help for long. Almost instantly, the vacuum cleaner started to move again.
Only this time, the voice coming from the vacuum cleaner was loud and clear, and it was yelling racist obscenities at Swenson and his family. The voice sounded like a teenager according to Swenson.
Swenson said he turned off the vacuum and dumped it in the garage, never to be turned on again.
While this may seem bad enough as it is, it could have been much worse. What if the hackers had decided to keep quiet and just spy on the victim’s family? In 2020 we talked about such an occurrence in our Lock & Code podcast, where a photo taken by a Roomba vacuum cleaner of a woman sitting on a toilet was shared on Facebook.
Within a few days, various similar incidents involving the Ecovacs Deebot X2 were reported in the US. And, even though Swenson had several communications with a US representative of Ecovacs, the response didn’t explain what had happened.
The Ecovacs representative claimed the victim’s credentials must have been acquired by the hacker and used in a credential stuffing attack, where the attacker uses login information obtained in breaches on other sites to login to another one—in this case Ecovacs.
But that did not make sense, because even with a valid password the attacker shouldn’t have been able to access the video feed or to control the robot remotely. These features are supposed to be protected by a four-digit pin number.
In 2023, however, two security researchers showed a method to bypass that protection. The weakness of the pin protection is that the app is the only place where the PIN is checked, not on the server or by the robot itself. So, if you have control of the device with the app on it and the necessary technical knowledge, you can have the device send a signal to the server which claims that you have entered the correct pin.
And though Ecovacs claimed to have fixed this flaw, one of the hackers that disclosed the flaw said it had been fixed insufficiently.
The same Ecovacs spokesperson said the company “sent a prompt email” instructing customers to change their passwords following the incident. However, Swenson says he never received any communication about the issue with the pin codes, even though he specifically asked if it had happened to other people.
Ecovacs told ABC news it would issue a security upgrade for owners of its X2 series in November. Until that happens you might want to do the same as Swenson and turn the vacuum off.
Once We Know It’s Possible…
The above stories involve hacks by private individuals who were mostly just messing around. But if those (apparent) teenagers can do it, so can professional thieves and governments. And the fact that the vacuums are made in China implies that they come with built-in backdoors to be accessed at will.
If such devices can take and upload pictures, they’re capable of recording us entering a gun-safe combination, depositing gold and silver coins in what we think are ingenious hiding places, or organizing an anti-war protest.
The takeaway? Those old “Jetsons” cartoons that seemed so cool actually portrayed a dystopia in which Big Brother was watching 24/7.
The solution? As with so many other things, it’s time for homes to go old-school, with non-networked, single-function appliances that do their thing without spying.
Way ahead of you. I was never anything but old school. I never fell for or was sucked in by any of that crap from the very start.
We live in an old bungalow. We drive cars from before 1990. We don't use "smart"phones. We do have a TV, but it doesn't see much. Our appliances are analog. I suppose the state keeps track of my emails and articles, but I'll take that risk at my age.
I do as much as I can with cash and an analog/mail way of doing business.
I don't answer questions, or surveys, or interact with the state at all except to pay the extortion taxes.