Reverse engineering and hacking Ecovacs robots
Dennis Giese, Braelynn Hacker
DEF CON 32 Creator Stage · Day 1 · Creator Stage
This talk, presented by security researchers Dennis Giese and Braelynn Hacker at DEF CON 32, provides a comprehensive look into the security vulnerabilities and privacy risks inherent in Ecovacs IoT robots. Drawing from over five years of dedicated research, the speakers demonstrate how they achieved root access on a wide range of Ecovacs devices, including robot vacuums (up to the X2 series), lawn mowing robots, and Airbot air purifiers, as well as products from Ecovacs' sub-brand, Yedi. The core of their presentation highlights critical security flaws, culminating in a significant Bluetooth Remote Code Execution (RCE) vulnerability that allows for initial access without physical disassembly.