CVE-2024-12078
📋 TL;DR
ECOVACS robot lawn mowers and vacuums use a static, shared secret key to encrypt Bluetooth Low Energy (BLE) GATT messages, allowing unauthenticated attackers within BLE range to control any robot using the same key. This affects all ECOVACS robot models that rely on this flawed BLE authentication mechanism.
💻 Affected Systems
- ECOVACS robot lawn mowers
- ECOVACS robot vacuums
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker could remotely control robots to cause physical damage, steal the device, or use it as an entry point into the local network if the robot has network connectivity.
Likely Case
Attackers within BLE range (typically up to 100 meters) could start/stop robots, change settings, or disrupt cleaning/mowing operations as a prank or nuisance attack.
If Mitigated
With proper network segmentation and physical security controls, impact is limited to local disruption of robot functions without broader network compromise.
🎯 Exploit Status
Exploitation demonstrated at 37C3 conference with proof-of-concept tools available. Attack requires BLE sniffing/capture tools and knowledge of the static key.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None known
Restart Required: No
Instructions:
No official patch available. Contact ECOVACS support for firmware update information.
🔧 Temporary Workarounds
Disable BLE when not in use
allTurn off Bluetooth connectivity on the robot when not actively controlling it via the app
Use ECOVACS app settings to disable Bluetooth connectivity
Physical security controls
allRestrict physical access to areas where robots operate to prevent attackers from getting within BLE range
🧯 If You Can't Patch
- Segment robot network from critical systems if robot has WiFi connectivity
- Monitor for unauthorized BLE connections using Bluetooth scanning tools
🔍 How to Verify
Check if Vulnerable:
Use BLE scanning tools to check if robot responds to commands encrypted with the known static keyCheck Version:
Check firmware version in ECOVACS mobile app under device settingsVerify Fix Applied:
Check if robot firmware has been updated to use unique per-device keys or proper authentication📡 Detection & Monitoring
Log Indicators:
- Unexpected robot activation/deactivation
- Settings changes not initiated by authorized user
Network Indicators:
- Unusual BLE traffic patterns to robot MAC address
- Multiple failed authentication attempts via BLE
SIEM Query:
Not applicable - primarily physical/Bluetooth based attack