Posted on 10/11/2024 8:31:21 PM PDT by Red Badger
"It could have been worse," one owner incredibly concluded.
It’s a tale as old as… the Internet of Things era. Robot vacuums made by Ecovacs have been reported roving around people’s homes, yelling profanities at them through the onboard speakers after the company’s software was found to be vulnerable to intrusion.
ABC News in Australia reports that there were recently multiple instances across the U.S. when owners of Ecovacs vacuums noticed their devices acting unusually.
“It sounded like a broken-up radio signal or something,” Daniel Swenson told the outlet. “You could hear snippets of maybe a voice.” He opened the vacuum’s app to find a stranger was accessing its live camera feed and remote control feature, but assumed it might be an error. After resetting the password and rebooting the robot, the vacuum quickly started moving again:
This time, there was no ambiguity about what was coming out of the speaker. A voice was yelling racist obscenities, loud and clear, right in front of Mr Swenson’s son.
“F*** n******s,” screamed the voice, over and over again.
Perhaps the best part of this anecdote was Swenson’s incredulous conclusion that the situation “could have been worse.” But he’s right that it was nice of the hacker to let him know his vacuum was hacked instead of spying on him indefinitely.
The most common issue people have with so-called “smart” home devices is that they often require a software subscription to access core functionality, and if the manufacturer goes under or stops supporting the device, it simply becomes a paperweight.
The more disturbing issue arises when smart devices can be remotely accessed and the manufacturer never considered (or cared about) the possibility that tricksters might take advantage of this to torment people in their own homes. Remote access is convenient, but every couple of years we hear about something egregious, like intruders accessing a baby monitor and whispering through it at night, or gaining access to a garage door to mess with its owner. A lot of the time the intent of these intruders is just to be punks. But you have to wonder how many times it happens and no one knows about it.
The problem is that most of these smart home companies are selling consumer hardware and don’t want or care to invest much in security — it’s an afterthought for a home appliance. You can buy one of dozens of robovacs on Amazon; most people just want the cheapest one. So this is what we get, a company that doesn’t put basic security measures in place.
And ‘basic’ seems to be fair here. ABC found that although Ecovacs accounts are password-protected, and a further four-digit PIN code is required to access the video feed, that PIN code is not validated server-side—meaning anyone with the basic know-how of a tool like Chrome web inspector could bypass it. It’s likely that Swenson was reusing credentials from other services, but the code should have been an extra factor that prevented access anyway. At a bare minimum all Ecovacs really needs to do is some basic “if-true” validation on its servers before opening the video feed.
Ecovacs reportedly was informed about the vulnerability back in 2023 by researchers and didn’t take action until recently. It says a more substantial security update will be released in November.
It sounds crazy when we’re talking about a vacuum of all things, but if you’re going to buy a robot vacuum, be sure to research the product’s security measures.
“I’m on strike! Get a broom and clean your own f’n house ya slob!
Racial slurs?
And hackney ones at that?
Seriously.
Someone could have had a lot of fun with that first.
Person: “Vacuum, go vacuum the living room.”
Vacuum: “I’m sorry, Dave, I can’t do that.”
Have it say "Gross" at just above sub-audible level, every fourth time the scrubbing function is activated or something.
Or, Youngest Daughter's suggestion, "Make it do a fart noise every time it does a turn."
Chicom spying machine crap.
Is your Roomba racist?
Film at 11!
So a company makes a product that caters to the purchaser’s DEMAND for convenience.
Given that: Security and Convenience are often opponents.
Did the purchasers make demands of themselves, to:
- NOT allow remote access into their properties
- REQUIRE a complex administrative username for access to in/on property devices
- REQUIRE a complex administrative password for access to in/on property devices
- DISABLE in/on property Bluetooth transmissions before leaving their property
- NOT TRUST the servers of the product company’s website, with details of the purchaser, the structures and properties?
Yes, it’s better to do the sweeping yourself than trust a machine like that.
I suppose it beats having the thing blow up like a pager in Lebanon.
At least don’t buy one from a Chinese communist company.
This one is essentially harmless in itself, its kinda funny.
Its also a reason I dont have IoT things in my house. It shows you most folks don’t think about security.
Maybe they are tired of cats riding them.
And this is bad because? I would leave the hacked version. Makes chore time more fun—a fellow worker to complain with—good times.
What was that show with the talking car?
My Mother the Car
“Come Honk Your Horn”
Smart appliances ... Crazy.
The prior owners of the house we bought last year left their top-of-the-line, two-month-old washer and dryer. The appliances were “smart”. We used them for two weeks and GAVE them to our handyman when our old Kenmores were delivered.
My washer and my Sleep Number bed do not need to be connected to wifi. They don’t need to be smarter than kaMAla Harris.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.