Mastodawn

#robovacs are #HouseCrabs and you can't convince me otherwise

#DJI will pay $30K to the engineer who accidentally hacked 7,000 #Romo #robovacs. All he wanted to do was drive his #robot #vacuum with a PS5 controller
DJI would also not tell us which discovery it’s paying him for, but says it has already addressed the extra #vulnerability Azdoufal found where someone can view a DJI Romo video stream without needing a security pin. “We can confirm that the PIN code security observation was addressed by late February."
https://www.theverge.com/news/890982/dji-pay-sammy-azdoufal-robot-vacuum-hack-romo-security

DJI will pay $30K to the man who accidentally hacked 7,000 Romo robovacs

DJI will pay Sammy Azdoufal $30,000 after he used Claude Code to accidentally access a network of 7,000 robot vacuums.

The Verge

AlsoPaisleyCat 🇨🇦Oct 13, 2024

Teenage hackers yelling slurs and terrorizing pets enabled by security vulnerabilities in robot vacuums.

The Verge opines:

“Issues like these can feel inevitable when so many smart home devices require a persistent internet connection to function, especially for those companies that don’t offer easy ways to report security vulnerabilities.”

https://www.theverge.com/2024/10/12/24268508/hacked-ecovacs-deebot-x2-racial-slurs-chase-pets

#Robovacs

Hackers took over robovacs to chase pets and yell slurs

A bad actor gained access to Ecovacs Deebot X2 Omni robotic vacuums, using them to chase pets and yell racist slurs at their owners.

The Verge

GadgetBond Oct 12, 2024

Hackers took over #Ecovacs Deebot X2 #robovacs to terrorize #households. #Vacuums

https://gadgetbond.com/ecovacs-deebot-x2-omni-security-vulnerability/

Hackers exploit security flaws in Ecovacs Deebot X2 to control robovacs

Hackers took control of Ecovacs Deebot X2 Omni robot vacuums, terrorizing owners with slurs and chasing pets.

GadgetBond

Miguel Afonso Caetano Oct 12, 2024

#CyberSecurity #Privacy #RobotVaccums #RoboVacs #IoT #SmartHome: "The problem is that most of these smart home companies are selling consumer hardware and don’t want or care to invest much in security — it’s an afterthought for a home appliance. You can buy one of dozens of robovacs on Amazon; most people just want the cheapest one. So this is what we get, a company that doesn’t put basic security measures in place.

And ‘basic’ seems to be fair here. ABC found that although Ecovacs accounts are password-protected, and a further four-digit PIN code is required to access the video feed, that PIN code is not validated server-side—meaning anyone with the basic know-how of a tool like Chrome web inspector could bypass it. It’s likely that Swenson was reusing credentials from other services, but the code should have been an extra factor that prevented access anyway. At a bare minimum all Ecovacs really needs to do is some basic “if-true” validation on its servers before opening the video feed.

Ecovacs reportedly was informed about the vulnerability back in 2023 by researchers and didn’t take action until recently. It says a more substantial security update will be released in November.

It sounds crazy when we’re talking about a vacuum of all things, but if you’re going to buy a robot vacuum, be sure to research the product’s security measures."

https://gizmodo.com/hacked-robot-vacuums-across-the-us-started-yelling-slurs-2000511013

Hacked Robot Vacuums Across the U.S. Started Yelling Slurs

"It could have been worse," one owner incredibly concluded.

Gizmodo