Earlier this month, security researchers revealed a series of alarming vulnerabilities in Ecovacs’ robotic vacuums and lawn mowers that could allow hackers to spy on users through the devices’ microphones and cameras. Initially, Ecovacs downplayed the severity of the flaws, stating they were “extremely rare” and required specialized tools or physical access to exploit. However, just two weeks later, the company has reversed its stance, committing to address the issues after further review.
“We have conducted an in-depth verification and self-examination. We have identified several areas where there is room for improvement,” Martin Ma, director of Ecovacs’ security committee, told TechCrunch in an email. “In response, we have initiated targeted improvements and are addressing the issues highlighted.”
The vulnerabilities were first brought to light during a presentation by security researchers Dennis Giese and Braelynn Luedtke at the annual Def Con hacking conference in Las Vegas on August 10. The duo analyzed 11 Ecovacs devices and uncovered multiple security flaws, with one particularly concerning vulnerability standing out: it allows attackers to connect to an Ecovacs robot via Bluetooth from up to 450 feet (approximately 130 meters) away using a phone. Once connected, hackers could take control of the device and remotely monitor users through the robot’s internet-connected features.
Other flaws included a bug that could let someone regain access to a robot vacuum even after selling it and deleting their account, potentially enabling them to spy on the new owners.
Ecovacs’ Initial Response and Change of Heart
When the researchers initially disclosed their findings, Ecovacs responded by saying the vulnerabilities were unlikely to affect typical users and did not commit to fixing them. However, after their presentation at Def Con, the company took a closer look.
In an email to Giese dated August 16, shared with TechCrunch, Ma acknowledged that the talk had “captured [his] attention.” He admitted that Ecovacs had “inadvertently overlooked” the researchers’ initial emails from December 2023 and promised corrective action.
“We have carefully reviewed your points raised in the previous emails and the demos at Def Con 2024, and conducted an in-depth verification and self-examination,” Ma wrote. The company plans to address the issues in two specific models — the Goat G1 and the X1 — as well as in the Ecovacs app.
Ma also praised the researchers for their work, stating, “Your analysis has been greatly valued and appraised by our technical team. Your insights are invaluable in safeguarding the security and integrity of our products, and they contribute significantly to the consumer electronics industry as a whole.”
