It was a typical day for U.S. Attorney Daniel Swenson, until his vacuum cleaner seemed to come to life. While he peacefully watches TV, reveals Australian media ABChis Ecovacs robot begins to produce strange noises, similar to the crackling of a radio. By examining the machine, the American realizes that the problem is more serious than it seems. Someone is accessing their vacuum cleaner’s live video feed and remote control features. He plans to solve the problem by changing his password and restarting the robot. But shortly after, the vacuum cleaner starts moving again and begins broadcasting racist insults through its speakers.
In shock, Daniel Swenson tells ABC that he completely deactivated his vacuum cleaner, before storing it in the garage, where it is still today. He is not the only one to have experienced such a misfortune. Several other owners of Ecovacs robots in the United States have reported similar facts. One’s machine would have chased his dog. That of the other would have insulted the owner.
These spectacular incidents caused a lot of ink to flow in October, but this is not the first time that connected objects have sowed discord. In June 2019, a kitchen robot sold by Lidl created controversy when a microphone had been discovered in its workings. An inactive component but which computer-savvy users had managed to make work and whose presence was not specified by the manufacturer. In December 2022, the MIT Technology Review revealed that photos of people using experimental versions of Roomba vacuum cleaners had been shared on private Facebook groups. As the manufacturer recalled at the time, these were not commercial versions. And the people had agreed, in return for payment, to let the images filmed by these test versions be sent to service providers specializing in image labeling – an exercise which helps to improve their automated analysis. But the presence of certain intimate shots, notably of a woman in the toilet, reminds us how quickly our vigilance can relax towards these familiar objects.
There are now more than 17 billion connected objects in the world and their number is expected to rise to 30 billion by 2030. As more and more of these devices enter our homes, whether in the form of coffee makers or connected fridges, the risks of cyber espionage that they present remain unknown to the general public.
Underestimated cyber risks
In the case concerning Ecovacs, the company ensures in a press release sent to ABC News that the error is not theirs. The manufacturer claims to have not suffered any hacks or data leaks. The problem would be linked to the fact that the lawyer – like the other victims – used the same usernames and passwords on another site which itself suffered a data leak. These precious keys would then have allowed a hacker to connect to the vacuum cleaner and take control of it. Contacted by L’Express, Ecovacs did not respond to our questions. If the way in which the takeover took place remains unclear, as do the security filters provided by Ecovacs, the affair serves as a reminder of the extent to which protecting these devices remains difficult.
“With connected objects, the attack surface expands. There are therefore more risks for computer systems,” explains Eric Antibi, France director of the company specializing in cybersecurity Palo Alto Networks. This is linked to the very nature of these objects: they are connected to Wi-Fi as well as to servers, and generally work with applications. So many possible entry points for attackers. However, “when you buy a screen, a coffee maker or a connected vacuum cleaner, no one takes care of the cyber aspect. No one thinks to ask if they are well protected, or what version of the OS is for them. security patches”, continues Eric Antibi. These risks are seriously underestimated by owners.
Because it is entirely possible to hack these devices and take control of them. Hackers can exploit human vulnerabilities: when the user has not provided a password to connect to the application associated with their object, for example. But it is also possible to hijack certain functionalities of the devices. A few months before the incident experienced by Daniel Swenson, cybersecurity researchers managed to take control of an Ecovacs vacuum cleaner by hijacking its Bluetooth connection. Attackers can also infiltrate an object’s servers if they are poorly secured.
The domino effect can be formidable. “Taking control of a connected fridge allows it to be used as a pivot point to attack other elements of the home,” warns Pierre Delcher, director of the cybersecurity research team at HarfangLab. Once inside the system, hackers can carry out large-scale attacks. “Computers are generally protected against external attacks, but are susceptible to internal attacks,” specifies the expert.
Cyber risks are, unfortunately, not always a top priority when designing connected objects. “Security is an additional cost for businesses. In general, the less expensive the products, the less protected they are,” confides Tiphaine Romand-Latapie, cybersecurity expert at Synacktiv. In the case of Ecovacs, the hackers appear not to have targeted specific users. But their mode of operation is not always so random. Eric Antibi thus reports the case of an employee of a sensitive company targeted by an attack via a connected object, in order to penetrate the professional computer. “Attempts of this type are on the rise,” he warns, particularly since the generalization of teleworking.
Personal data, a major issue
The data collection carried out by these connected objects raises other questions. A recent study from Surfshark illustrates the extent of the practice among manufacturers of smart household appliances. Some fridge brands recover audio data. Coffee makers have access to the photos, videos and addresses of their owners through an application. Connected switches capture location and purchase history. Data sharing that makes it possible to offer the customer an experience, the manufacturers argue. And “the user has the choice to share this data with us”, underlines Clément Monjou, responsible for the development of Alexa speakers at Amazon France. The company also specifies that it does not use the data collected for commercial purposes, but only for personalization purposes. Same thing for Google, which highlights the services offered to its customers.
“However, some manufacturers collect data that they do not necessarily need to operate, but which are then reused for marketing purposes,” estimates Tiphaine Romand-Latapie. The CNIL, contacted on this subject by L’Express, recalls that companies manufacturing or marketing these objects in the European Union, including foreign companies, must “comply with the regulations relating to the protection of personal data”, the famous GDPR. Manufacturers are required to be transparent about the use of data, and to obtain consent from consumers.
To ensure the security of the information collected, Google tells L’Express that “certain Google Nest devices and services, such as Google Nest Hub Max, record and process part of the data locally on the device, and not on Google servers “, thus minimizing the risk of leaks. Amazon also says it “takes security very seriously” and uses rigorous security protocols. However, in the sector, flaws sometimes remain. Particularly among certain smaller manufacturers who do not always have the means to ensure the robustness of their computer system. Previous generation devices that are still active may also be more vulnerable to attacks.
Data leaks can have serious consequences, especially when a device captures “financial details, medical records, energy consumption, habits and location of individuals”, points out Raminta Bučiūtė, personal data specialist at Surfshark. The stolen information is then put up for sale on hacker forums. These details can be used for identity theft, phishing, or blackmail. which are not always interesting for a consumer, summarizes Pierre Delcher of HarfangLab. The real question is: why put a microphone in a vacuum cleaner? It’s espionage.”
.