Someone reportedly gained access to Ecovacs Deebot robot vacuum cleaners in several U.S. cities earlier this year ABC News this week in Australia.
The outlet spoke with several Deebot X2 owners who say their Deebot sounds from the robot's speaker. He said after resetting his password and restarting the robot, it started again, only this time the sound was clearly a voice – he suspected it was a teenager's – that was slurred roared.
ABC News lists other, similar reports from owners in El Paso and Los Angeles, the latter of which involved someone using a Deebot to annoy, yell at, and chase a dog.
Ecovacs told the outlet in a statement that it had “identified a credential stuffing event” and blocked the IP address from which it originated. The company said it found “no evidence” that the attacker collected usernames and passwords.
Researchers last year discovered a flaw that allowed them to bypass the Deebot X2's PIN entry to gain access to the vacuum cleaner. Ecovacs states in its statement that it has solved this problem and also plans to “further increase security” with an update in November. It's not clear if this would fix a Bluetooth vulnerability ABC News Exploited for a report earlier this month.
Cloud-connected smart home devices have been generating stories like this for years. Sometimes it's the result of hacks, others are simply compromised credentials. Sometimes it's bad software that shows you another owner's camera feed as a little treat. Problems like these can seem unavoidable when so many smart home devices require a persistent internet connection to function, especially for companies that don't provide easy ways to report security vulnerabilities.