#CyberSecurity #Privacy #RobotVaccums #RoboVacs #IoT #SmartHome: "The problem is that most of these smart home companies are selling consumer hardware and don’t want or care to invest much in security — it’s an afterthought for a home appliance. You can buy one of dozens of robovacs on Amazon; most people just want the cheapest one. So this is what we get, a company that doesn’t put basic security measures in place.

And ‘basic’ seems to be fair here. ABC found that although Ecovacs accounts are password-protected, and a further four-digit PIN code is required to access the video feed, that PIN code is not validated server-side—meaning anyone with the basic know-how of a tool like Chrome web inspector could bypass it. It’s likely that Swenson was reusing credentials from other services, but the code should have been an extra factor that prevented access anyway. At a bare minimum all Ecovacs really needs to do is some basic “if-true” validation on its servers before opening the video feed.

Ecovacs reportedly was informed about the vulnerability back in 2023 by researchers and didn’t take action until recently. It says a more substantial security update will be released in November.

It sounds crazy when we’re talking about a vacuum of all things, but if you’re going to buy a robot vacuum, be sure to research the product’s security measures."

https://gizmodo.com/hacked-robot-vacuums-across-the-us-started-yelling-slurs-2000511013