Hacked Robot Vacuum Goes Around House Shouting Expletives
Oct 14, 2024 3:31:39 GMT -5
Post by Midnight on Oct 14, 2024 3:31:39 GMT -5
CRAZY TECH WORLD: Hacked Robot Vacuum Goes Around the House Shouting Expletives and Racial Slurs
by Paul Serran
Oct. 13, 2024 7:40 pm
In our technological world, it seems that every scientific advance to facilitate our lives comes attached to inherent dangers to our privacy and even our safety.
This also applies to house appliances that now are integrated to the so-called ‘internet of things’.
It recently arose that robot vacuum cleaners made by Ecovacs have been reported roaming around the home of its owners, shouting expletives at them through the onboard speakers.
This happen because the company’s software was revealed to be highly vulnerable to intrusion.
Recent reports show that there were multiple episodes across the US in which owners of Ecovacs vacuums were surprised by their devices acting unusually.
Gizmodo reported:
“’It sounded like a broken-up radio signal or something’, Daniel Swenson told the outlet. ‘You could hear snippets of maybe a voice’. He opened the vacuum’s app to find a stranger was accessing its live camera feed and remote control feature, but assumed it might be an error. After resetting the password and rebooting the robot, the vacuum quickly started moving again:
This time, there was no ambiguity about what was coming out of the speaker. A voice was yelling racist obscenities, loud and clear, right in front of Mr. Swenson’s son. ‘F*** n*****s’, screamed the voice, over and over again.”
Swenson’s curious conclusion from that situation was that ‘it could have been worse’.
The hacker let them know his vacuum was hacked instead of spying on them indefinitely, as in the 2022 case in which a Roomba took pictures of a woman in the bathroom and posted online (see below).
A ‘smart’ home device’s most common problem is that, if the manufacturer goes under or somehow stops supporting the software to access core functionality of the device, it simply becomes useless.
“The more disturbing issue arises when smart devices can be remotely accessed and the manufacturer never considered (or cared about) the possibility that tricksters might take advantage of this to torment people in their own homes. Remote access is convenient, but every couple of years we hear about something egregious, like intruders accessing a baby monitor and whispering through it at night, or gaining access to a garage door to mess with its owner. A lot of the time the intent of these intruders is just to be punks. But you have to wonder how many times it happens and no one knows about it.”
In most cases, these companies are selling consumer hardware and don’t care much about security.
Most people just want to buy the cheapest vacuum available, which often means a company without basic security measures in place.
“Although Ecovacs accounts are password-protected, and a further four-digit PIN code is required to access the video feed, that PIN code is not validated server-side—meaning anyone with the basic know-how of a tool like Chrome web inspector could bypass it. It’s likely that Swenson was reusing credentials from other services, but the code should have been an extra factor that prevented access anyway. At a bare minimum all Ecovacs really needs to do is some basic ‘if-true’ validation on its servers before opening the video feed.”
Ecovacs says a substantial security update will be released in November.
link
by Paul Serran
Oct. 13, 2024 7:40 pm
In our technological world, it seems that every scientific advance to facilitate our lives comes attached to inherent dangers to our privacy and even our safety.
This also applies to house appliances that now are integrated to the so-called ‘internet of things’.
It recently arose that robot vacuum cleaners made by Ecovacs have been reported roaming around the home of its owners, shouting expletives at them through the onboard speakers.
This happen because the company’s software was revealed to be highly vulnerable to intrusion.
Recent reports show that there were multiple episodes across the US in which owners of Ecovacs vacuums were surprised by their devices acting unusually.
Gizmodo reported:
“’It sounded like a broken-up radio signal or something’, Daniel Swenson told the outlet. ‘You could hear snippets of maybe a voice’. He opened the vacuum’s app to find a stranger was accessing its live camera feed and remote control feature, but assumed it might be an error. After resetting the password and rebooting the robot, the vacuum quickly started moving again:
This time, there was no ambiguity about what was coming out of the speaker. A voice was yelling racist obscenities, loud and clear, right in front of Mr. Swenson’s son. ‘F*** n*****s’, screamed the voice, over and over again.”
Swenson’s curious conclusion from that situation was that ‘it could have been worse’.
The hacker let them know his vacuum was hacked instead of spying on them indefinitely, as in the 2022 case in which a Roomba took pictures of a woman in the bathroom and posted online (see below).
A ‘smart’ home device’s most common problem is that, if the manufacturer goes under or somehow stops supporting the software to access core functionality of the device, it simply becomes useless.
“The more disturbing issue arises when smart devices can be remotely accessed and the manufacturer never considered (or cared about) the possibility that tricksters might take advantage of this to torment people in their own homes. Remote access is convenient, but every couple of years we hear about something egregious, like intruders accessing a baby monitor and whispering through it at night, or gaining access to a garage door to mess with its owner. A lot of the time the intent of these intruders is just to be punks. But you have to wonder how many times it happens and no one knows about it.”
In most cases, these companies are selling consumer hardware and don’t care much about security.
Most people just want to buy the cheapest vacuum available, which often means a company without basic security measures in place.
“Although Ecovacs accounts are password-protected, and a further four-digit PIN code is required to access the video feed, that PIN code is not validated server-side—meaning anyone with the basic know-how of a tool like Chrome web inspector could bypass it. It’s likely that Swenson was reusing credentials from other services, but the code should have been an extra factor that prevented access anyway. At a bare minimum all Ecovacs really needs to do is some basic ‘if-true’ validation on its servers before opening the video feed.”
Ecovacs says a substantial security update will be released in November.
link