A robot vacuum cleaner manufactured by the China-based firm Ecovacs is the recipient of the “Worst in Show” for security at this year’s Consumer Electronics Show (CES) in Las Vegas.
The Worst in Show for security was awarded by Secure Repairs founder Paul F. Roberts to Ecovacs, which this week unveiled its X2 Combo vacuum at CES – an update of its Deebot X2 Omni robot vacuum.
Why the Ecovacs Deebot X2 Combo? “What we have here is an autonomous, wheeled, in home surveillance device equipped with cameras, microphones, LIDAR, voice recognition features and built in AI models for object identification. It harvests untold amounts of information from within your home,” Roberts said at the Worst In Show awards ceremony on Thursday.
Ecovacs leave a trail of problems
A device harvesting that amount of sensitive personal information – images, sound, maps of personal living spaces – better have top-shelf security right? Alas, no. A presentation on the Ecovacs Deebot X1 in December at the Chaos Communications Conference in Hamburg, Germany by researchers Dennis Giese and Braelynn Luedtke revealed that the vacuums are easily hackable. Among other things, they found that user data – possibly including images- stored on the vacuums in unencrypted form. Also, remote access to the robot vacuum’s live video feed was secured via a mobile app that could be easily bypassed. The researchers also found that the Ecovacs factory reset feature does not fully erase all information from the device.
In all, the research on the Ecovacs robotic vacuums found lots of low-hanging fruit: sloppy bash scripts, lax security for harvested data such as maps and images, heavy reliance on “self signed” certificates and reliance on the MD5 for securing PINs and passwords -a widely deprecated encryption algorithm.
Furthermore, Ecovacs offers no bug bounty program, nor a proper “front door” for security researchers who might discover problems with Ecovacs products, Giese and Luedtke said. While the company claims that it will acknowledge reports submitted by independent researchers on a public bulletin board it maintains, the researchers were unable to locate said bulletin board, calling that claim into question.
Beneath the glitz: a security morass
The research suggests that the cybersecurity of these powerful, sensor rich smart home devices should be a cause of deep concern for consumers. It also points to the quietly growing risks facing consumers as more and more devices make the transition from “dumb” mechanical instruments to smart, Internet connected and software driven products.
As the research on the Deebot X1 suggests, a sober security reality lurks beneath the glitz, glamor and shiny exteriors of devices at CES. It includes poorly designed and insecure application code, deployment of lax security practices and blurry lines around the collection, storage and retention of user data.
Worst In Show: shining a light on CES’s Underbelly
Now in its third year, the Worst In Show Awards features a panel of dystopia experts who review CES news releases, punch through the hype and reveal the subtle ways that products jeopardize our safety, encourage wasteful overconsumption, and normalize privacy violations. In addition to the “Worst in Show” for cybersecurity, this year’s event saw Worst In Show awards for Privacy (awarded by Cindy Cohn, Executive Director, Electronic Frontier Foundation); Repairability, selected by Kyle Wiens (CEO, iFixit); environmental impact, selected by Shanika Whitehurst, Consumer Reports; and the new category of “Enshittification” selected by Cory Doctorow (Sci-Fi author, Electronic Frontier Foundation and Pluralistic.net).
Check out all the results at the Worst In Show website!