news

Recently, Ecovacs has been facing questions about privacy and security. Two security researchers, Dennis Giese and Braelynn, released security vulnerabilities in Ecovacs' lawn mower and sweeping robots at the Def Con security conference.It said that these vulnerabilities could allow attackers to exploit the device's built-in camera and microphone to spy on users.

According to the data compiled by AVC, in the first half of this year, sweeping robots accounted for as much as 41% of all cleaning appliances, firmly sitting in the top spot in the cleaning market, with both sales revenue and sales volume achieving double-digit growth, up 18.8% and 11.9% year-on-year respectively.

According to the Ecovacs official website, Ecovacs Robotics adheres to and deepens its internationalization strategy. Currently, Ecovacs Robotics has established sales subsidiaries in Germany, the United States, and Japan, and has successfullyIt has opened up markets in more than 80 major countries and regions around the world. In 2016, Ecovacs became the top-selling brand of sweeping robots in China.

Screenshot from Ecovacs official website

"As home appliance companies promote the intelligentization of their products, they must consider the protection of user privacy and security in terms of awareness, planning and technical architecture."Major General Ding, an observer of the home appliance industry, told the Guangzhou Daily that in this process, user data should be collected scientifically and reasonably, and users should be informed and consented to. Users' privacy data and data that does not fundamentally improve the user's intelligent experience should not be excessively requested. When the basic capabilities of the company are not yet perfect, a professional third-party security data company can be introduced to carry out data-related protection work.

Researchers: It can be controlled from 130 meters away

Can access camera, microphone, etc.

According to Southern Metropolis Daily, the BlackHat and Def Con hacker conferences, known as the "World Cup" and "Oscars" of hackers, were held in Las Vegas last weekend to share the latest research, hacker techniques and knowledge in the security community. The researchers said they analyzed more than 10 popular devices from Ecovacs, including sweeping robots, lawn mowing robots and air purifier robots.

The above researchers said that the main problem with Ecovacs products is that there is a vulnerability.Anyone using a mobile phone can connect to and control the Ecovacs robot via Bluetooth from up to 450 feet (about 130 meters) away."You send a payload and in just one second it reconnects to our machine. For example, it can reconnect to a server on the internet. From there, we can control the robot remotely," said Dennis Gies."We can read the Wi-Fi credentials, we can read all the (saved room) maps, access the cameras, the microphones, everything."

The above researchers said that the lawn mower robot always has Bluetooth turned on, while the sweeping robot will enable Bluetooth for 20 minutes when it is turned on and automatically restart once a day, so the sweeping robot is more difficult to be hacked.Since most new Ecovacs robots are equipped with at least one camera and one microphone, once hackers take control of the invaded robots, these sweeping robots can be turned into "surveillance tools."The robots also have no hardware indicators or any other indicators to alert people nearby that their cameras and microphones are on.

According to 21 Finance,"Bluetooth security has always been a common security issue." Wu Jianping, director of Bangbang Security Master Laboratory, pointed out in an interview that since the Bluetooth pairing key is a purely digital 4-digit or 6-digit password, modern computers can successfully decipher it within a few seconds if there are only ten thousand or one million possibilities.

In response to this underlying protocol vulnerability, the Bluetooth company released the version 5.4 update in 2023, which limited the number of accesses and key comparisons in a short period of time, reducing the risk of Bluetooth connections being hacked to a certain extent.

In addition to Bluetooth-related vulnerabilities, the two researchers also found other security issues with Ecovacs products, pointing out thatEven if the user account is deleted, the robot's related data will still be stored in the cloud server; the user's authentication token is also stored in the cloud.This may result in the relevant users still being able to access the device after deleting their account, threatening the privacy security of users who purchase the machine second-hand.

Ecovacs responds: Don’t worry too much

It will not affect ordinary users

On the afternoon of August 13, a reporter from the Daily Economic News attended a conference call held by Ecovacs to "respond to questions related to data security". Ma Xianbin, PR Director of Ecovacs Greater China, said that the two security researchers, Dennis Gies and Brian, have always been very interested in the product security of my country's sweeping robot companies and have also conducted some corresponding research on products of other domestic brands."The two researchers are studying wireless and embedded devices."

The background of this incident is that two security researchers claimed to give a speech at the Def Con security conference in the United States to demonstrate how to attack Ecovacs devices, but the video of their speech has not yet been released.Since last year, Ecovacs has been strengthening its technology, and the possible breakthrough paths have been blocked, so so far the content that the two security researchers originally planned to release has not been released.

Ecovacs believes that the product problems pointed out by the other party are not "loopholes", but problems faced by the industry in general, that is, in some verification connection processes, people with ulterior motives may "take advantage of loopholes", butThey can't crack a company's products without physical contact or being in close proximity to them.In addition, the other party claimed that the attack methods they developed are only effective against a single device and are not replicable.

"So we think that users who buy our products don't need to worry too much about this. At least the situation we know now will not affect ordinary users."Ma Xianbin said.

In addition, Ecovacs said that the company has been actively optimizing its product security protection measures. Ma Xianbin said that the strengthening of such protection measures is not aimed at a single case or a single hacker or organization, but to make it more difficult for attackers to find patterns in the company's security measures, thereby reducing unnecessary risks.

at present,The methods used by Ecovacs include various certificate verifications, security policies, countermeasures to network hijacking, real-time monitoring and updates of remote code execution vulnerabilities, and the integrity of connections between three-party devices.Ecovacs has been constantly changing its algorithms and methods.

Regarding the "vulnerability" released by the two researchers, Ma Xianbin believes thatThis is a technical discussion. At a certain time, the other party found a way to hack into the device. In terms of attitude, the company welcomes this kind of problem that is limited to the scope of technical discussion.

According to the 2023 annual report released by Ecovacs,In 2023, the company's total revenue is RMB 15.502 billion, an increase of 1.16% over the previous year.The net profit attributable to shareholders of the listed company was RMB 612 million, down 63.96% from the previous year.Domestic operating income was 8.98 billion yuan, down 11.43% year-on-year; overseas operating income was 6.522 billion yuan, up 25.76% year-on-year.

Daily Economic News compiled from public information, Guangzhou Daily, Southern Metropolis Daily, 21 Finance, and Meijing.com (Reporter Cheng Ya)