Imagine settling down for a quiet evening, only to have your robotic vacuum suddenly come to life—not to clean, but to spew racist slurs and chase your pets around the house. This alarming scenario became a reality for several U.S. residents earlier this year, when hackers managed to seize control of Ecovacs Deebot X2 Omni robotic vacuums in cities like Los Angeles, El Paso, and Minneapolis.

ABC News in Australia broke the story, recounting a disturbing incident involving Minnesota lawyer Daniel Swenson. Swenson described the initial shock as a “broken-up radio signal” emerged from his robovac’s speaker while he was watching TV with his family. At first, it seemed like a glitch. But after resetting his password and rebooting the device, Swenson’s Deebot X2 Omni started broadcasting a much more sinister message—this time in the form of clear, audible slurs. The voice sounded like that of a teenager, he guessed.

Swenson wasn’t alone. Other Deebot X2 Omni owners came forward with similar tales, including an owner in Los Angeles who claimed their robovac had been used to harass their dog. Hackers had apparently gained control of the vacuum, maneuvering it to chase the animal while shouting at it through the device’s built-in speaker.

While terrifying, this type of attack shines a spotlight on the larger issue plaguing the growing smart home device market—security vulnerabilities.

What went wrong?

Ecovacs, the company behind the Deebot X2 Omni, acknowledged the breach, stating that the attack stemmed from a “credential stuffing event.” This type of attack occurs when hackers use stolen username-password combinations from other services in an attempt to break into a separate account. In this case, it appears some users had reused weak or previously compromised passwords across different platforms, allowing hackers to seize control of their Deebots. Ecovacs claims that it quickly blocked the IP address involved and reassured users that no usernames or passwords had been harvested in the breach.

However, this wasn’t the first time the Deebot X2 had been exposed as a security risk. Last year, researchers demonstrated how they could bypass the vacuum’s PIN entry system, giving them unauthorized access to the device. Although Ecovacs stated that it patched this specific flaw, security researchers and watchdogs remain skeptical. In fact, just a few weeks prior to this latest attack, ABC News conducted an investigation showing how vulnerabilities in the Deebot X2’s Bluetooth system could also be exploited.

Ecovacs has promised a new update in November aimed at bolstering security, but there’s no word on whether it will fully resolve the Bluetooth issue or other potential gaps in protection.

A broader issue with smart home devices

This isn’t the first time a smart home device has been turned against its owner. Over the past few years, a growing number of cloud-connected gadgets have been infiltrated by hackers, from baby monitors to doorbell cameras. In some cases, attackers manage to commandeer the device’s functionality, while in others, users simply log in and find they’re viewing another owner’s camera feed by mistake—a chilling reminder of the security risks that come with modern conveniences.

A common denominator in many of these incidents is the constant internet connection required by many smart devices. While this connectivity allows users to monitor and control their homes remotely, it also opens up new avenues for attack if companies don’t prioritize security. The fact that many manufacturers don’t offer straightforward ways for users to report vulnerabilities—or address them quickly—only makes the situation worse.

For example, in this Deebot incident, owners likely weren’t even aware their vacuums were vulnerable until it was too late. With so many people buying smart home products, from thermostats to security systems, it’s easy to forget that these devices can often be the weakest link in a home’s digital defenses.

What can consumers do?

Unfortunately, securing your smart home devices isn’t as simple as locking your front door. Hackers often exploit lax password habits—like reusing credentials across multiple services—so step one is using strong, unique passwords for every device. Enabling two-factor authentication (if available) adds an extra layer of protection, requiring both your password and a secondary code to gain access.

Beyond passwords, regularly updating device firmware is crucial. Many companies release patches to fix vulnerabilities, but if you don’t update, those security gaps remain open. Staying vigilant and monitoring your devices for unusual behavior, as Daniel Swenson did, could also help catch an attack before it escalates.

Lastly, consumers should hold companies accountable. If a smart home product lacks transparency around its security measures or fails to release timely updates, consider switching to a brand with a better track record. Security should never be an afterthought, especially when hackers can turn a helpful household tool into a nightmare-inducing terror.

For now, Deebot X2 Omni owners are holding their breath until November’s promised update rolls out. Whether that will be enough to prevent another round of robovac hijackings remains to be seen.