Smart internet connected devices permeates our homes. It is a difficult and conscious task to try avoid having IoT devices in your home, although you are not obliged to connect them to your wifi.

A few days ago on 4 October 2024, the Australian Broadcasting Corporation (ABC, or Aunty as us Aussies sometimes affectionately calls them) broke a story on hacking the Ecovacs’ flagship model – the Ecovacs Deebot X2.

The vulnerabilities inherent in IoT devices is nothing new. For years I have brought up the need for home routers to have something more than just a main and guest SSID. That router manufactures should lead the way by bringing a prompt at setup to create an IoT network.

 

Deebot X2 Combo

This particular hack was performed over Bluetooth to get the initial access, the rest was then done over the internet.

In the ABC article the author stated that Ecovacs was notified in December 2023 but the company did not respond until the researcher went public with his findings ten months later.

A quick Google search turned up a bit of chatter on Reddit from around May and June 2024 on the X2 model seemingly being taken over. It is worth noting that some of the devices in the reddit thread were bought second hand, which potentially introduces a different threat vector. But that said, the purported company response left a bit to be desired.

Other tech sites have brought up the issue in August 2024, and it encompasses a whole slew of Ecovacs’ line up including their GOAT lawnmower.

To be fair, Ecovacs would not be the only manufacturer out there with security vulnerabilities, but this in mainstream news now.

Companies don’t like to give out details especially in this kind of situations. Hopefully Ecovacs is busy in the background performing remediation work.

 

The official Ecovacs statement below.

ECOVACS respects the practice of security experts who identify potential vulnerabilities through research and proactively share their findings with companies. We believe that the interaction between security experts and companies, through offensive and defensive testing and the publication of results, contributes to the improvement of product security. ECOVACS has always prioritised product and data security, as well as the protection of consumer privacy. We assure customers that our existing products offer a high level of security in daily life, and that consumers can confidently use ECOVACS products.

We have improved the Ecovacs X2 Remote Live Video PIN bypass issue in August 2024. Only the X2 Series has this vulnerability, which will be corrected in November via an OTA firmware update. No other ECOVACS models are affected.

If any consumers or your readers remain concerned, they can also take the following steps for added peace-of-mind:

https://www.ecovacs.com/au/blog/robot-vacuum-privacy-concerns

  • Strengthen Wi-Fi Security
  • Set Strong Passwords
  • Regular Software Updates
  • Suspicious Activity Notifications
  • Factory Reset