Hackers took over robovacs to chase pets and yell slurs

Someone gained access to Ecovacs Deebot X2 Omni robotic vacuums across several US cities earlier this year and used them to chase pets and yell racist slurs at their owners, reported ABC News in Australia this week.

The outlet spoke with multiple Deebot X2 owners who say their Deebot X2s had been hacked in May, including Minnesota lawyer Daniel Swenson, who said he was watching TV with his family when a noise “like a broken-up radio signal or something” started coming from the robot’s speaker. He said after he reset his password and rebooted the robot, it began again, only this time the sound was clearly a voice — he guessed a teenager’s — yelling slurs.

ABC News lists other, similar accounts from owners in El Paso and Los Angeles, the latter of which involved someone using a Deebot to antagonize a dog, yelling at and chasing it.

Ecovacs told the outlet in a statement that it had “identified a credential stuffing event” and blocked the IP address it originated from. The company said it “found no evidence” that usernames and passwords were collected by the attacker.

Researchers demonstrated a flaw last year that let them bypass the Deebot X2’s PIN entry to gain access to the vacuum. Ecovacs says in its statement that it has resolved that, and that it also plans to “further enhance security” with an update in November. It’s not clear whether that would correct a Bluetooth vulnerability that ABC News exploited for a report earlier this month.

Cloud-connected smart home devices have led to stories like this for years. Sometimes it’s the result of hacks, others simply compromised credentials. Sometimes, it’s bad software showing you another owner’s camera feed, as a little treat. Issues like these can feel inevitable when so many smart home devices require a persistent internet connection to function, especially for those companies that don’t offer easy ways to report security vulnerabilities.