Hacking a robot vacuum cleaner and spying on its owner live

A major home robotics manufacturer has failed to fix safety issues with its robot vacuum cleaners despite receiving a warning about the risks last year. Without even entering the building, we managed to get pictures of the owner of the device (with his consent, of course). And then everything got even worse…

Robot vacuum cleaners are moving uncontrollably through thousands of homes around the world. An ordinary Australian, Sean Kelly, also decided to buy one for himself to ease his household chores, because he and his wife have twins and a five-month-old baby. And he chose a model made by the world's largest home robotics company: Ecovacs.

Sean settled on the flagship Deebot X2, believing it gave him the best security money could buy. Oh my sweet summer child, how wrong you were!

His robot turned out to be vulnerable to remote hacking, and Ecovacs did nothing, despite a warning received back in December 2023.

In fact, it turned out that he purchased a web camera that travels around the house and monitors his family. I called Sean to tell him the bad news about his vacuum cleaner and asked if he would mind if I hacked his robot.

To be honest, I personally don’t know how to hack technology, I needed the help of Dennis Gies, a security researcher who spent many years gutting robot vacuum cleaners.

He recently found a way to take control of Ecovacs' entire range of robots, including lawn mowers and Deebot vacuum cleaners, using just a smartphone.

Dennis Gies is an independent security and privacy researcher.

And he didn't even have to touch them – he could do it entirely over Bluetooth, from up to 140 meters away. Gies announced his findings at a hacker conference in Las Vegas. I contacted him by email and asked if he could help me hack a robot vacuum cleaner.

“I can collect a payload for you,” he wrote in response.

This will allow you to “run anything” on select Bluetooth-enabled Ecovacs devices, including Sean's flagship X2 model, which retails for $2,500.

According to Gies, once I connect to the device via Bluetooth, I have full access to the built-in computer and, accordingly, to all the sensors connected to it. “You will be able to access all logs, WiFi credentials and full access to the network,” Gies delighted me. This means I will be able to access the “camera and microphone nodes”.

Sean's wife was adamantly against us hacking the device in their home. So we decided to test it in an office kitchen instead. So, on the fourth floor of a huge building with thick concrete walls, Sean plugs in his robot vacuum cleaner.

Sean Kelly installed his robot vacuum cleaner on the fourth floor of this office building.

I'm sitting in the park right outside the window. From this distance, the Bluetooth signal is weak; I have to move closer to the fence for better communication. Sean's office is on a busy street near the center of Brisbane, and passers-by look at me strangely as I raise my phone to the sky.

Soon his device appears on my phone with the signature “ECOVACS”.

And here we are.

Upstairs, Sean makes himself a cup of coffee.

These photos start streaming to my laptop in real time.

As the robot begins to move around the room to clean, Sean's face enters the frame.

The robot continues its journey through an unfamiliar kitchen; its legs come into view.

The robot does not play a warning sound to start “camera recording” – this sound appears to only play if the camera is accessed through the Ecovacs app. But Sean himself is aware and expects me to watch him, because he himself agreed to this less than an hour ago.

But he doesn't know that we have added a secret feature. And when the moment seems right, we do a little prank. “Hi, Sean,” says the robotic voice. “I'm watching you.”

Sean's eyes widen when his robot says his name. It seems to be funny to him, but it doesn’t seem very funny.

Sean Kelly laughs in surprise when his robot says it's watching him

“This is crazy,” he says, looking at the robot. It's like it doesn't recognize its own vacuum cleaner. The device had been crawling around his home unchecked for the better part of a year, potentially providing opportunistic hackers with a snooping opportunity.

I show Sean the photos taken by his robot vacuum cleaner.

While I was connecting to Sean's robot from the park outside my window, the real hack was happening on the other side of the planet. In Germany, Gies stayed in touch for a full hour and helped pull the strings. There were several unsuccessful attempts, but then everything worked out.

– Done, sent [payload]. Did it work?

– Haha, I'm coming in. Now let's steal their darkest secrets.

Gies, of course, was joking when he talked about stealing Sean's data. But he was completely serious about the fact that he was able to log into the on-board computer of the vacuum cleaner. The photos were transferred to his server in the US, and he viewed them (from his apartment in Berlin) at the same time as me. “Nice office,” he wrote to me.

Looks into the Brisbane office while in Berlin

“I was surprised that the robot moved and still had access to the camera,” Gies said later.

Once I sent the start command via Bluetooth to gain access, we both no longer needed to be near the robot to continue monitoring through its camera.

Not all of the vulnerabilities that Gies discovered were equally problematic, for Ecovacs or for other brands. Many required physically connecting to robots or even taking them apart to get to the insides.

It does not report low-risk threats. But the one we were dealing with now was especially sensitive. Gies quickly notified Ecovacs, saying he had discovered a serious security vulnerability that could be fixed remotely. He did not disclose specific details because he did not want to transmit them over an unsecured channel, and has still not published them in the public domain.

This was in December 2023. Ten months ago. But I never received an answer. The company later woke up and wrote that they had accidentally missed the December letter. But for a billion-dollar company that is currently the market leader, it's a little alarming.

Geese's interest lies in gaining access to devices, not spying on the people using them. However, it only took him a couple of hours to figure out how to take photos, send them to his server, and play his audio through his speakers.

At some point in our experiment, Gies jokingly suggested that the vacuum cleaner’s computer be permanently disabled, thereby showing how much harm it could actually cause.

– Okay, let me do something scary. Should I turn his robot into a brick?

– Ha ha ha, no, no. We just need to hack it.

In the end, we fixed everything. There were no traces left on Sean's device, and he took his robot home, puzzled by this threat to the privacy of his family's lives. He now throws a towel over the robot when it is not in use. The experiment was a wake-up call for Sean, but the privacy risks in today's world extend far beyond just one product.

“People don't think of their dishwasher as a robot,” says Dr Donald Dansereau, senior lecturer at the Australian Robotics Center at the University of Sydney. “We live in a society full of cameras.”

It is robotic vacuum cleaners that have received close attention because they are too noticeable. But in reality, cameras are everywhere, for example in cars that fill the streets. And with cameras everywhere, questions arise about how secure the footage is.

Ecovacs initially said its users “should not be overly concerned” about Gies' study. After he first publicly disclosed the vulnerability, the company's security committee downplayed the problemstating that reproducing it requires “specialized hacking tools and physical access to the device.”

It is difficult to reconcile their statement with reality. All it took was my $300 smartphone, and I didn't even see Sean the Robot until I hacked it.

Ecovacs eventually said it would fix this safety issue. At the time of publication, only some models have been updated to prevent this attack. But several models, including the latest flagship model launched in July this year, remain vulnerable.

Ecovacs X2 is vulnerable to hacking at a distance of more than 100 meters.

Obviously, Shaun's robot is one of them. Yet the company did not warn him about the security flaws affecting his device. After I told Ecovacs about our experiment, a company representative said that an update for the X2 would be available in November 2024.

I wondered, who is responsible for making sure these internet-connected devices are truly secure? It turns out that in Australia there are no mandatory rules to ensure that smart devices cannot be hacked. Last year the Ministry of the Interior published voluntary code of practicecompliance with which is “encouraged but not required.”

This means companies making devices for sale in Australia, including Ecovacs and other home robotics companies, are not required to test their products against even the most basic vulnerabilities.

However, Ecovacs did test the X2 and received certificate security from the German company TÜV Rheinland. The robot has been tested to comply with the cybersecurity standard with the catchy technical name ETSI EN 303 645. which is proposed to be partly adopted as part of the Australian Cyber Security Strategy.

Most home robotics companies, including Ecovacs, Xiaomi, iRobot and Roborock, regularly certify their products to this standard, and in many countries it is a basic requirement. And this, according to Gies, is “the worst thing.”

He found that Ecovacs devices were extremely vulnerable to hacking, despite being certified as secure. Gies discovered these security vulnerabilities simply by spending a little free time. Brelynn Luedtke and Chris Anderson, two other independent researchers, did the same. So why didn't the multinational company that was supposed to test it?

I contacted TÜV Rheinland to find out. In response to my questions about the testing processes, Alexander Schneider from TUV Rheinland directed me to a digital certificate in which there was almost no information about how exactly the testing was carried out.

“We are confident that our testing meets all aspects of the standard,” Schneider said in a statement. Gies, in turn, claims that at least five of the 13 provisions of the standard were not met by the Ecovacs X2 when he tested it.

According to Schneider, the vulnerabilities discovered by Gies were not studied during testing, “because they belong to the realm of professional hacker attacks.” He says TUV Rheinland certification does not guarantee the prevention of cyber attacks from serious hackers. Well, who then, in their opinion, usually carries out the hacking?

Looking for a second opinion

Lim Yun Zhi, a former cybersecurity tester at rival certification company TÜV SÜD, has practical experience certifying robot vacuum cleaners to the same standard. The testing process is largely “left up to interpretation” by certifying companies, he said.

He believes that testers do not need to conduct “deep or professional attacks.”

Lim Yun Zhi (third from right) was a cybersecurity tester at TÜV SÜD for five years.

This position is explained by the fact that such products are brought to market very quickly. Although the standard specifies the need for general security functions, there is no explicit requirement that they be implemented correctly. It all depends on the experience of the laboratory as well as the personnel who operate the cybersecurity testing device.

Testing is often done before a product is released, while new, unforeseen cyber threats arise all the time.

The software running on smart devices needs to be updated regularly to stay up to date with the latest known issues. And each new version of software loaded into the robot could potentially introduce new vulnerabilities.

According to Lim, it would be impractical to independently test every new version as the process could take months to complete. But of course, product labeling indicating that devices meet certification standards may give consumers a “false sense of security.”

An Australian Department of Home Affairs spokesman said the government plans to introduce mandatory security standards for smart devices, as well as enforcement measures that will “prevent non-compliant devices from being sold in Australia.” He did not comment on the effectiveness of ETSI EN 303 645, which was mentioned in the public consultation as a potential basis for adoption.

According to Dennis Gies, the most alarming aspect of a Bluetooth attack is how difficult it is to detect. “If you do it very quietly, the victim will never know about it.” The video warning sound does not play. The robot vacuum cleaner continues cleaning as usual. Hacking leaves no traces on the device. Therefore, you will never know if some shady companies are using your photos for their nefarious purposes. And they, as it turns out, are using it.

AI learns from stolen data

Photos, videos and voice recordings taken in customers' homes are found to be used to train the company's artificial intelligence models.

The manufacturer said its users are “willingly participating” in the product improvement program. When users opt-in to this program through the Ecovacs smartphone app, they are not told what data will be collected, only that it will “help us improve the features and quality of the product.”

Users are asked to click “above” to read the details, however there is no link on this page.

Ecovacs Privacy Policy, available in another part of the applicationallows for the full collection of user data for research purposes, including:

2D or 3D map of the user's home generated by the device
Voice recordings from the device microphone
Photos or videos recorded by the device's camera

It also states that voice recordings, videos and photos deleted through the app may continue to be stored and used by Ecovacs.

An Ecovacs spokesperson confirmed that the company uses data collected through its product improvement program to train its artificial intelligence models. Critical cybersecurity vulnerabilities that allow some Ecovacs models to be hacked remotely call into question the company's ability to protect this sensitive information.

Even if a company is not acting maliciously, it can itself become a victim of corporate espionage or government action. In a blog post from 2020 Two engineers from Ecovacs Robotics' artificial intelligence department described the problem they faced: “Building a deep learning model without large amounts of data is like building a house without blueprints.”

There is a problem with publicly available data sets: they simply cannot be found, because the robot sees the environment “from the ground.” Therefore, the company needed its own data collection.

Legs and other objects are shown with frames drawn around them. — Ecovacs engineers describe how they train the company's artificial intelligence models

A company spokesperson said this preliminary dataset does not contain “real user household information.” However, since the launch of the products, they have confirmed that data from users who took part in the “Product Improvement Program” is used to train the artificial intelligence model.

“We anonymize user information during data collection, ensuring that only anonymous data is uploaded to our servers,” the spokesperson said in a statement. “We have implemented strict access control protocols for viewing and using this anonymous user data.”

But in fact, images from robotic vacuum cleaners have already appeared online. In 2022, intimate photos taken by iRobot devices were published on a “banned social network,” including the infamous photo of a man sitting on the toilet. In this case, the robots that took the pictures were part of a testing program in which users participated.

Company representative reported to MIT Tech Reviewthat these are “specially designed robots with hardware and software modifications that have never been and will not be included in iRobot consumer products available for purchase.”

The devices were physically marked with bright green stickers (they said “video recording”), and users agreed to send data to iRobot for research purposes.

Roomba image leaked — One of the leaked images taken by Roomba robot vacuum cleaners

Allowing a US-based company to access images of a device is one thing. But it's another thing entirely when photos end up on a social networking site.

And then the question arises, how did they get there?

iRobot has contracted AI training data company Scale AI to analyze raw footage to train its object detection algorithm.

According to Scale AI founder Alex Wang, its data processing system generates virtually all the data needed to run leading large language models. It sounds very serious, but in reality millions of workers work in less than ideal conditions.

Online data annotators often work in internet cafes. Workers label images so the AI can generate politicians and celebrities, and edit snippets of text so language models like ChatGPT don't spit out nonsense.

iRobot ended its partnership with Scale AI after its contractors posted photos on social media.

Do cleaning robots even need high-definition cameras?

Researchers at the Australian Robotics Center have developed a solution that can avoid this problem entirely. To protect sensitive images from hackers, technology has been developed that changes “the way a robot sees the world.”

Essentially, it is a camera that is inherently “privacy preserving.”

Two men stand behind a camera attached to a circuit board.

Since the image captured by the camera is encrypted beyond recognition before it is digitized, attackers cannot access raw images. However, the encrypted image still contains enough information for the robot to navigate in space. The technology is not yet ready for commercialization, but Dr. Dansereau is confident that technology companies will adopt it.

Thank you for your attention. Be careful.