Earlier this year, hackers hacked the Cobos Deebot X2 Omni robot vacuum cleaners in several cities in the United States, using them to chase pets and subjecting racist abuses to owners, ABC News reported.
According to foreign media, Ecovacs brand sweeping robots and lawn mower robots have security risks, and hackers may take advantage of these vulnerabilities to remotely control the device and monitor it through built-in cameras and microphones.
As domestic brands go overseas, how to eliminate similar security and privacy issues is becoming a new direction worth noting.
▍ Security vulnerabilities?
安全研究人员丹尼斯·吉斯(Dennis Giese)和布雷琳(Braelynn)此前在Def Con黑客大会上展示他们对科沃斯机器人的研究。 And then there's the N8/T8. Deebot N9/T9,Deebot N10/T10,Deebot X1,Deebot T20,Deebot X2,Goat G1,Spybot Airbot Z1,Airbot AVA以及Airbot ANDY系列等科沃斯旗下多款热销产品,以确保其漏洞的普遍性,他们测试多款科沃斯产品后,他们发现了多个安全问题,称这些漏洞可能被滥用.
Def Con is one of the largest and most influential computer security conferences in the world, and is known as the "Oscar of Hackers". Participants include not only the world's top security researchers, but also officials from government agencies such as the Security Bureau and the Bureau of Investigation.
The researchers point out that the main security risk is a vulnerability that allows anyone using a mobile phone to connect to and control Ecovacs robots via Bluetooth at a distance of up to 450 feet (about 137 meters). Once the hackers take control of the device, they can monitor it remotely because the robot itself is connected to the internet via Wi-Fi at all times.
Multiple Deebot X2 users said their devices were hacked in May. Among them, Minnesota lawyer Daniel Swenson recalled that while watching TV with his family, he suddenly heard a noise similar to a "broken radio signal" from a robot. After he resets the password and restarts the robot, the voice reappears, but this time it is clearly the sound of a human shouting and swearing.
ABC News also reported on other similar incidents, including a hacker using the Deebot bot in El Paso and Los Angeles to harass pet dogs, yelling at it and chasing it.
Guiss said that lawn mowers are always on Bluetooth, while robot vacuums enable Bluetooth for 20 minutes when they start up and automatically restart every day, making them relatively harder to hack. But since most Ecovacs bots are equipped with at least one camera and one microphone, they could be turned into spy tools once hackers take control of these devices.
The researchers noted that the robots did not have hardware indicators or any other indicators that warned nearby people that their cameras and microphones were turned on. On some models, an audio file is theoretically played every five minutes, indicating that the camera is on, but hackers can easily delete the file to stay hidden.
In addition to the risk of hacking, Keith and Brelin said they also found some other privacy issues with Ecovacs devices. Even if the user account is deleted, the data stored on the robot remains on Ecovacs' cloud servers, while the authentication token remains in the cloud, allowing someone to access the robot vacuum cleaner after the account is deleted, which may allow them to spy on second-hand buyers who purchased the robot.
In addition, researchers demonstrated a vulnerability last year that could bypass Deebot X2's PIN code entry to access the bot. The lawn mower has an anti-theft mechanism that forces a PIN code if someone picks up the robot, but the PIN code is stored in plain text inside the lawn mower and is not verified on the server side - meaning that anyone with basic knowledge of tools like Chrome web inspector can bypass it. Researchers say that once a Ecovacs robot is compromised, other Ecovacs robot devices within its range may also be hacked.
▍Respond and solve
After the problem was exposed, Ecovacs responded on August 13, saying that many special prerequisites are required to achieve the above attacks, and these attack methods are only effective for a single device and are not replicable.
Ecovacs said that it is actively optimizing product safety protection measures. "The methods we use include various certificate validation, security policies, countermeasures against cyberjacking, as well as remote code execution vulnerabilities, Windows and Android vulnerabilities, etc., which will be monitored and updated in real time. The purpose of this is mainly twofold, one is that this channel for criminals to invade is becoming less and less. The second is to make the algorithm and update mechanism more disorderly, reduce the probability of success of criminals' guesses, and increase the difficulty of cracking the device. The person concerned explained.
Ecovacs also said that the research interaction mentioned by the two hackers, which is also a technical one, is a different scenario from the daily use environment of consumers. "This kind of hacker through the security meeting to break out of the security security security is usually a normal way for enterprises to interact with hackers and security organizations, and it is very common overseas. But it should not be guided into everyday consumption scenarios. "Hackers use technical offensive and defensive cracking methods, but they are abnormal methods in daily life. Therefore, the probability of an attack in daily life is very low, and even if it occurs, the degree of invasion of user privacy is not large, so users do not need to worry.
At the same time, EcovacsIn fact, since last year, Ecovacs has been making technical reinforcements to the attack paths and techniques mentioned by the above two researchers, and has been optimizing product security protection measures to make it more difficult for attackers to find patterns, so as to reduce risks. Ecovacs also said in a recent statement that it had "identified a credential stuffing event" and blocked the IP address from which the attack originated. But the company said it found no evidence that hackers were collecting usernames and passwords.
In its latest statement, Ecovacs said it had addressed the vulnerabilities and that the company plans to release an update in November to "further strengthen security." At the same time, a number of old products such as the Ecovacs Deebot 900 series, Ecovacs Deebot N8/T8, and Ecovacs Airbot ANDY mentioned in last year's review have been removed from the store's shelves.
▍ Conclusion and the future
At present, Ecovacs serves more than 50 million home users, which makes it more widely exposed. Prior to this, some netizens on social platforms had already expressed concerns about the privacy of sweeping robots such as irobot and Ecovacs. As Ecovacs said, the product problems pointed out by the other party may not be vulnerabilities, but problems faced by the industry.
Technologists say that because whether it's a Bluetooth device or a WiFi connection, connected products have their own code logic, and as long as there is such logic, there may be vulnerabilities. If users find that smart home devices have microphones, cameras, and other functions, try to choose to place them far away from the private environment. In addition, it is important to manage your account well, do not change passwords randomly, and take necessary security measures, such as disconnecting IoT devices from the internet, to reduce the risk of being attacked remotely. At the same time, users should also conduct regular security checks on smart devices at home to ensure that their firmware and software are updated to the latest version to reduce security vulnerabilities that can be exploited.
The popularity of smart home has made the era of the Internet of Everything more concrete, breaking through the last barrier between technology and human life. Therefore, product safety and data protection are undoubtedly the bottom line for human beings to give up their privacy, especially at home, the most hidden corner. Experts from the Australian Information Security Association (AISA) pointed out that sweeping robots can not only collect dust to clean up, but also collect data about the surrounding environment and send it back to an external server. Especially those sweeping robots with their own cameras, the risk of privacy leakage behind them cannot be ignored.
There have been cases of smart home devices leaking user privacy data after collecting it. In 2020, a Venezuela contractor tagging images collected by the iRobot Roomba J7 posted images of a female user using the toilet at home. A similar incident occurred in Korea, where hackers hacked into home webcams and related smart devices, stealing private photos and videos from more than 700 homes.
In the process of globalization, the data collection of smart devices with cameras must pay attention to both intelligence and privacy security. The existing Data Security Law and Personal Information Protection Law in mainland China both have corresponding provisions and requirements for data security and personal information protection. For example, there is a clear legal division at the legal level for the collection of personal privacy data to inform in advance, so that users can fully agree to whether to implement some deletion rights, but there may be a long way to go to implement it.