Ecovacs Hurl Obscenities at Unsuspecting Users
Australian Ecovac users were victim to an unusual kind of cyber attack- attackers gained remote access to their vacuums and took control, causing vacuums to begin misbehaving, including spewing foul language at innocent users.
We’ve talked before on this blog about remote access through a water heating system, but other “smart” home devices, such as vacuum cleaners, are also vulnerable to this kind of attack.
Most recently, connected device company Ecovac, the country’s leading supplier of robotic vacuums, was targeted in an attack in which outside actors took control of several robot vacuums, and caused them to terrorize users with foul language including racial slurs.
One of the funniest reactions by a user who was targeted in this attack, was his response:
“It could have been worse”
Vulnerability:
Smart home devices usually require a software subscription to access core functionality, and often, manufacturers of these devices do not consider that outside attackers may try to use them for remote access. It happens more often than we hear about- someone gaining control to someone’s remote garage door, or baby monitor.
The issue, as we see across many sectors, is that producers simply don’t prioritize security when they are trying to push products like these. Development teams need to be working closely with security teams throughout the development process in order to maintain a strong security posture against attacks like these.
The vulnerability in this case was, apparently, extremely basic- the user accounts on Ecovac were password and PIN-protected, but anyone with a basic knowledge of tools like Chrome web inspector could easily use them to bypass this.
And as we’ve mentioned on the blog previously, FireTail advisory board member Mikko Hyppönen’s law stands clear here -
“If it’s smart, it’s vulnerable.”
More alarmingly, Ecovac was reportedly told about this vulnerability back in November of 2023, but researchers took their time responding and are now dealing with the consequences of their negligence.
Takeaways:
There is not as much the individual can do when it comes to the security of their devices, but doing adequate research and updating to the latest versions of every device is a good first step for personal security. Additionally, every security team and developer should have a basic understanding of APIs and API security in 2024.
As we move toward an increasingly digital world, with more cyber attacks happening every year, cybersecurity is becoming more and more essential, even to the everyday consumer who may be unaware of their API usage. Stay up to date with current cyber news, and educate yourself on APIs and API security to stay safe in the ever-changing digital world.
To see how FireTail can help you and your company secure your APIs, get a free trial or schedule a demo today.
