概要: Hackers reportedly exploited a vulnerability in Ecovacs’s Deebot X2 robot vacuums, gaining unauthorized access to camera and microphone controls. Users reported privacy invasions and offensive language broadcasted through the devices. Although Ecovacs claimed to have resolved the security flaw, researchers suggest vulnerabilities remain that could potentially leave users exposed to surveillance and harassment through their AI-enabled devices.
Editor Notes: Reconstructing the timeline of events: (1) December 2023: Cybersecurity researchers Dennis Giese and Braelynn Luedtke reportedly reveal a security flaw in Ecovacs Deebot X2 at a hacking conference. The flaw, they claim, involves an insecure PIN system and Bluetooth vulnerability, and was reported to Ecovacs prior to going public. (2) May 24, 2024: Minnesota lawyer Daniel Swenson’s Deebot X2 is reported to have been hacked, allegedly emitting racial slurs and controlled remotely in his home. The same day, another hacked Deebot X2 reportedly chases a dog in Los Angeles while allegedly projecting offensive language. (3) May 29, 2024: In El Paso, Texas, another Deebot X2 is reported to have been hacked, allegedly yelling obscenities at the owner until unplugged. (4) October 10, 2024: An ABC Australia report presents confirmation of the hackability of the Deebot X2 and explaining the ongoing risk posed by the security flaws. Ecovacs responds to the incidents and attributes them to credential stuffing and denying a system breach. Ecovacs promises a security upgrade for the X2 series in November 2024. The Ecovacs statement can be read here: https://live-production.wcms.abc-cdn.net.au/d22cf5c9f95808b90a58ccae58a05b76.
Alleged: Ecovacs developed an AI system deployed by Ecovacs Deebot X2 と Ecovacs, which harmed Ecovacs customers , Ecovacs Deebot X2 users と Daniel Swenson.
インシデントのステータス
Risk Subdomain
A further 23 subdomains create an accessible and understandable classification of hazards and harms associated with AI
2.2. AI system security vulnerabilities and attacks
Risk Domain
The Domain Taxonomy of AI Risks classifies risks into seven AI risk domains: (1) Discrimination & toxicity, (2) Privacy & security, (3) Misinformation, (4) Malicious actors & misuse, (5) Human-computer interaction, (6) Socioeconomic & environmental harms, and (7) AI system safety, failures & limitations.
- Privacy & Security
Entity
Which, if any, entity is presented as the main cause of the risk
Human
Timing
The stage in the AI lifecycle at which the risk is presented as occurring
Post-deployment
Intent
Whether the risk is presented as occurring as an expected or unexpected outcome from pursuing a goal
Intentional