Don’t Let This Happen to Your Smart Home!
October 15, 2024
In May of this year, robot vacuums in multiple US cities were hacked over the course of a few days. The attacker physically controlled them, yelling obscenities through their onboard speakers. The affected robots were all Chinese-made Ecovacs Deebot X2s.
One victim was watching TV when his robot started to malfunction. Through the Ecovacs app, he saw that a stranger was accessing its live camera feed and remote control feature. Dismissing it as some kind of glitch, they reset their password and rebooted the robot. The vacuum started to move again and a voice was yelling racist obscenities, over and over again — so they turned it off.
It would have been much worse, the hackers could have quietly observed the family inside their home. They could’ve peered through the robot’s camera, and listened through the microphone, without them having the slightest clue. It was so shocking they took the vacuum to the garage, and never switched it on again.
Multiple people, all based in the US, have reported similar hacking incidents within days of each other. On the same day, a Deebot X2 went rogue, and chased its owner’s dog around their Los Angeles home. The robot was being controlled remotely, with abusive comments coming through the speakers. Five days later, another device was infiltrated. Late at night, an Ecovacs robot in El Paso started spewing racial slurs at its owner until he unplugged it. It is unclear how many of the company’s devices were hacked in total.
Six months earlier, security researchers attempted to notify Ecovacs of significant security flaws in its robot vacuums and the app that controls them. The most severe was a flaw in the Bluetooth connector, which allowed complete access to the Ecovacs X2 from over 100 meters away. Given the distributed nature of the attacks, this vulnerability is unlikely to have been exploited in this case.
The PIN code system protecting the robot’s video feed — and remote control feature — was also known to be faulty, and the warning sound that is meant to play when the camera is being watched was able to be disabled. These security issues could explain how attackers took control of multiple robots in separate locations, and how they could’ve silently surveilled their victims once they’d gotten in.
In the days following the incidents with his Ecovacs robot vacuum, a “security investigation” was conducted by the company. They discovered that Ecovacs accounts had been accessed by an unauthorized person.” The company’s technical team identified the culprit’s IP address, and disabled it to prevent further access. They suspected that the victims’ Ecovacs accounts were affected by a ‘credential stuffing’ cyberattack.” This is when someone re-uses the same username and password on multiple websites, and the combination is stolen in a separate cyberattack. The company found no evidence that the accounts were hacked through any breach of Ecovacs’ systems.
Even if the victims had used the same username and password on other sites, and if those credentials had been leaked online, that still should not have been enough to access the video feed or to control the robot remotely. These features are supposed to be protected by a four-digit PIN.
However, cybersecurity researchers have revealed that it could be bypassed. The PIN code was only checked by the app, rather than by the server or robot. Which means that anyone with the technical know-how could bypass the check completely.
An Ecovacs spokesperson has said this flaw has now been fixed, however it’s suspected that the company’s fix was insufficient to plug the security hole. The spokesperson also said the company “sent a prompt email” instructing customers to change their passwords following the incident.
Ecovacs said it would issue a security upgrade for owners of its X2 series next month (November 2024).
A pretty horrifying story that we hear more of these days it seems. This example, though shocking, didn’t end tragically with financial loss or risk to human life fortunately. But there are lessons to be learned here — everything from researching the technology you adopt in your smart home to securing said technology.
Security is crucial for a smart home because it ensures the safety, privacy, and reliability of the interconnected devices and systems that control various aspects of daily life. There are several key reasons why security is important for your smart home:
Protection of Personal Data
Smart home devices, like cameras, voice assistants, and smart thermostats, collect vast amounts of personal data. This includes video footage, voice recordings, and details about your daily routines. If your smart home security is compromised, hackers can gain access to this sensitive data, leading to identity theft, privacy breaches, or financial fraud.
Preventing Unauthorized Access
Smart locks, security cameras, and alarm systems are often part of a smart home ecosystem. Without proper security, cybercriminals could hack into these systems, potentially unlocking doors, disarming alarms, or disabling cameras. This could allow intruders to enter your home without you even realizing it.
Safeguarding Your Network
Smart home devices are connected to your home WiFi network. If an attacker gains control over a poorly secured device, they could use it as a gateway to access other devices on your network, including personal computers, smartphones, or even work devices, which may contain confidential information.
Preventing System Hijacking
In extreme cases, attackers may take over smart home systems, such as thermostats, lighting, or even baby monitors, leading to inconvenience, discomfort, or worse, malicious activities. The Ecovacs Deebot X2 story above is a prime example of this.
Avoiding Financial Losses
Smart home devices may be linked to payment methods for services like automated reordering of supplies, or voice-activated purchases. If your system is breached, hackers could make unauthorized purchases, leading to financial losses.
Ensuring Reliability and Functionality
A secure smart home operates reliably. If security isn’t maintained, malware or other attacks could cause devices to malfunction, leaving your home systems vulnerable to failure. For example, a compromised security camera might not record during a break-in, or a smart thermostat could fail to regulate the temperature during extreme weather conditions.
Mitigating Risks from Vulnerabilities
Many smart home devices are often not updated regularly or have default passwords, which can be easily exploited by cybercriminals. Ensuring strong security helps mitigate these risks by preventing known vulnerabilities from being used as entry points into your network.
Maintaining Control
Good security ensures that you remain in full control of your smart home systems. Without it, unauthorized individuals might remotely control your devices, leading to unwanted or dangerous situations. Strong encryption, multi-factor authentication, and regular software updates can help maintain this control.
In summary, smart home security is essential for protecting your privacy, keeping your home safe from intrusions, maintaining the integrity of your network, and ensuring that your smart devices function as intended without external interference. And it’s not difficult. But it does take understanding your devices, knowing your infrastructure and putting a plan into action to regularly review their security.
I’d love to hear your thoughts on smart home and security. Are you doing all you can to prevent unauthorized access to your smart home devices and systems? Do you have a plan in place to regularly check for updates and password changes? Have you had the unfortunate experience of having a device compromised? How did you remediate the problem? Let Debbie and I know what you think in the comments, DMs and emails as we really enjoy hearing from you. Thanks again to all those following Debbie and I through our home building journey. It’s great to hear your success stories and suggestions as we move through the process. And if you like the content I’m posting each week, don’t forget to ‘Like’ and ‘Follow.’
SmartHomeOnTheRange.com
In full disclosure, I’m not an affiliate marketer with links to any online retailer on my website. When people read what I’ve written about a particular product and then click on those links and buy something from the retailer, I earn nothing from the retailer. The links are strictly a convenience for my readers.