Hackers gained control of Ecovacs Deebot X2 robot vacuums across multiple US cities in May 2024, using them to yell racial slurs at families and chase pets through onboard speakers and remote control features.
In May 2024, hackers compromised multiple Chinese-made Ecovacs Deebot X2 robot vacuums across several US cities including Minnesota, Los Angeles, and El Paso. The attackers exploited known security vulnerabilities to gain remote control of the devices' cameras, microphones, and movement functions. In Minnesota, lawyer Daniel Swenson experienced his vacuum yelling racial slurs including the N-word repeatedly in front of his 13-year-old son after he reset the password and rebooted the device. On the same day (May 24), a vacuum in Los Angeles was used to chase a dog while the hacker shouted abusive comments. Five days later, another device in El Paso began spewing racial slurs at its owner late at night until unplugged. The security flaws had been identified by researchers Dennis Giese and Braelynn Luedtke in December 2023, who demonstrated that the four-digit PIN protecting video feeds was only validated by the app rather than the server, allowing easy bypass. Despite being warned about these vulnerabilities months earlier, Ecovacs had not adequately addressed the security issues. The company confirmed the attacks were likely due to 'credential stuffing' and blocked the attacking IP address, promising a security update in November 2024.
Domain classification, causal taxonomy, severity scores, and national security assessments were LLM-classified and may contain errors.
Vulnerabilities that can be exploited in AI systems, software development toolchains, and hardware, resulting in unauthorized access, data and privacy breaches, or system manipulation causing unsafe outputs or behavior.
Human
Due to a decision or action made by humans
Intentional
Due to an expected outcome from pursuing a goal
Post-deployment
Occurring after the AI model has been trained and deployed