Enabot Ebo Air smart robot hacking flaw found, and fixed

An attacker could have used this vulnerability to hack the cute smart Enabot Ebo Air robot and use it as a mobile surveillance device in someone's home. Flaw shows the need for legislation in smart product security 
Andrew LaughlinPrincipal researcher & writer

The Enabot Ebo Air is a smart robot for your home designed to entertain you, the kids or even your pets. However, it was less than amusing when specialist security lab, Modux, found a way for a hacker to compromise the robot. 

The attacker could move the robot, use the camera, record video, speak through the microphone, and more. This could enable someone to run surveillance on your home, or even speak to your family. 

And the worrying thing was that you would have had no idea that the robot had been hacked as the attacker could lurk silently in the background. 

Tech tips you can trust – get our free Tech newsletter for advice, news, deals and stuff the manuals don’t tell you

Hacked to become a remote-controlled spy

During testing, Modux found that the Ebo Air robot came pre-configured with a default administrator password, and an attacker could use this to connect the robot via SSH (secure shell), a network communication protocol used by computers to talk to each other. 

From here, the hacker could access various functions of the robot, including video and audio feeds to use it as a surveillance device. They could potentially even gain full control of it, and the owner would not even know it had been hacked. 

The attacker would have to hack your home wi-fi at first to do this. But with router security often so poor, this wouldn't be hard. 

And while we didn't manage it during our testing, Modux believes it would be possible to eventually secure remote access on the robot, meaning the attacker could gain control of it from anywhere, at any time. 

Even more concerning was that this exploit was possible on any Ebo Air robot on sale or in use in people's homes right now, as they all had the same shared default password. So if a hacker could gain remote control over one Ebo Air using this method, they could potentially control them all. 

Want to improve your home's security? See our burglar alarm and smart security system reviews to find out which we recommend.

You wi-fi password held on the device

We also found another issue during testing that could be a problem if you were to sell the robot on after you've finished using it. 

This involved the device not being completely wiped when you did a factory reset. So your stored wi-fi password was still accessible on the device. 

This could be a big problem if you were to sell the device and the new owner were to work out how to access your home wi-fi and also potentially know where you live. 

Enabot responds

We contacted Enabot about our findings and the company responded very positively, fixing the vulnerabilities and removing the threat. 

This involved terminating the SSH service (which was not actually in use anyway), and so cutting off the opportunity to seize control of the device.

Enabot has also addressed the issue of the insecure factory reset of data. 

If you already own an Ebo Air, make sure you run any updates to the app and device to get these latest security fixes.

Flaw shows why we need product security legislation

Companies that make smart products should ensure that they are built with security in mind, and then maintain them with updates and fixes if vulnerabilities are discovered. 

However, the fact remains that there are currently no legal requirements that smart products meet a basic standard of security, and so you can't always rely on companies to do the right thing. 

Following years of campaigning by us, the government is introducing the Product Security and Telecommunications Infrastructure (PSTI) Bill. This will make it illegal for a product to be sold with weak and generic default passwords. 

Brands will also need a clear point of contact for vulnerability disclosures (like we did with Enabot) and they will have to tell you when you buy the product how long they will maintain it with software updates. 

We are broadly supportive of the Bill but feel it could go further in three key areas:

  • Online marketplaces Which? research has repeatedly shown that insecure products are sold via marketplaces, listing sites and auction sites, and so the legislation must cover everywhere that consumers buy smart products. 
  • Update support minimums Being transparent is not enough. We want minimum periods to be imposed for how long a company should support a TV, washing machine, or other product with important security updates. 
  • Consumer rights If you own an insecure smart device, you should be able to argue that it is faulty and then get a refund or replacement as per their legal rights under the Consumer Rights Act 2015.

We will continue to campaign to make the PSTI bill protect consumers as much as possible. Check back to Which.co.uk for regular updates as the bill passes through Parliament and eventually becomes law. 

Tech tips you can trust – get our free Tech newsletter for advice, news, deals and stuff the manuals don’t tell you

Related articles