How Ecovacs Robots Got Hacked And What We Can Learn From It - Dennis Giese
Nullcon Goa 2025 · Main Stage
In this insightful talk at Nullcon, security researcher Dennis Giese, known for his extensive work in wireless and embedded security, detailed a seven-year journey into uncovering critical vulnerabilities within Ecovacs robotic devices. Titled "How Ecovacs Robots Got Hacked And What We Can Learn From It," the presentation exposed a litany of security flaws ranging from trivial encryption keys to remote code execution, impacting millions of users and significantly damaging the company's reputation and market value. Giese, a self-proclaimed "vacuum robot and IoT collector," highlighted that these issues were not isolated to Ecovacs but are endemic across the IoT landscape, emphasizing the urgent need for better security practices in connected devices.
AI review
Seven years of persistent IoT research on a single vendor, culminating in 18 vulns across 30+ models, live RCE demos over BLE from 150 meters, and a worm scenario that actually holds water. This is the kind of talk that makes vendor security teams quietly update their LinkedIn profiles. Minor deduction for the IoT-vacuum genre being well-trodden territory — Giese himself has delivered variants of this talk since 2017 — but the accumulated depth and the sheer audacity of 'AES key: 12345678 Ecovacs' on a TÜV-certified device keeps it firmly in strong-accept territory.