IoT Security Nightmare for CRE: Hacked Vacuums Raise Alarm in Smart Properties

There’s been a strange wave of cyberattacks in the U.S. and the targets have been robotic vacuum cleaners — Ecovacs Deebot X2 Omni robotic vacuums, specifically.

Over the last week, there have been multiple stories about owners of these getting surprised by the digital attacks. Someone gained control over these devices and started shouting obscenities at the owners according to the Australian outlet ABC News (not to be confused with the U.S. version).

An example was Minnesota lawyer Daniel Swenson, who had been watching TV. “It sounded like a broken-up radio signal or something,” he told the ABC. “You could hear snippets of maybe a voice.”

Swenson checked the device’s app and noticed that someone had it under control and was using the vacuum’s camera. He reset the password and then sat with his wife and child to watch television.

The vacuum started again, this time screaming racist language repeatedly. Swenson shut off the machine, brought it out to the garage, and left it there.

Strange? Amusing? No, for a CRE owner, it should be disturbing. There is a lot of pressure on property owners to find ways to make property costs as low and efficient as possible. Does that mean robotic vacuums? Maybe, but the moral of the story is the potential ubiquity of networked devices. They could include sensors for temperature, water leaks, television, phone services, refrigerators, HVAC, and who knows what else will eventually get tied in.

That is an enormous problem. Security for networked devices is often poorly implemented and there is no way to tell by outward examination whether a given product has been or could be compromised.

Could a malicious actor make a television scream at a tenant? No way to know until patience and ill luck provide an answer sometime in the future. Or until a controlled device is able to capture sensitive data or embarrassing images and relay them to a criminal who might sell the information or use something as blackmail to further interests in the operations of a tenant’s employer.

It may sound crazy, but the remote takeover of a vacuum cleaner might have also seemed a tad ridiculous before. The design and structure of all the niceties of electronic enhancements might be secure, or maybe not. It suggests a deep need for digital defense strategies. Who has the time, money, or expertise?