Internet of Things (IoT) is becoming ever more popular due to its ease of use. However, considering the frequency of hacking vulnerabilities reported in IoT, one can certainly speculate it to be in its “infancy” as regards the cyber security. Around a month ago, researchers discovered a number of critical vulnerabilities in IP cameras. Now, another group of researchers have discovered a few critical vulnerabilities in robotic vacuum cleaners. Allegedly, these flaws could turn your vacuum cleaners into spies.
Robotic Vacuum Cleaners Turning Into Spies
Researchers at Positive Technologies disclosed about their latest discovery in a blog post on Thursday. Reportedly, two researchers Leonid Krolle and Georgy Zaytsev, discovered two vulnerabilities in the robotic vacuum cleaners by Dongguan Diqee. More specifically, they reported the flaws for the Diqee Camera Robotic Vacuum Cleaner.
As explained in their blog, the first RCE vulnerability (CVE-2018-10987) could allow an attacker to take over the device.
“An attacker can discover the vacuum on the network by obtaining its MAC address and send a UDP request, which, if crafted in a specific way, results in the execution of a command with superuser rights on the vacuum. The vulnerability resides in the REQUEST_SET_WIFIPASSWD function (UDP command 153). To succeed, the attacker must authenticate on the device—which is made easier by the fact that many affected devices have the default username and password combination (admin:888888).”
The second vulnerability (CVE-2018-10988) requires the attacker to have physical access to the device. However, even inserting a micro SD card would suffice for it. Once the attacker gets physical access, he can exploit the vulnerabilities in the update mechanism of the vacuum cleaner.
“After the card is inserted, the vacuum update system runs firmware files from the upgrade_360 folder with superuser rights, without any digital signature check. Therefore, a hacker could create a special script, place it on a microSD card in the upgrade_360 folder, insert this card, and restart the vacuum. This script could run arbitrary code, such as a sniffer to intercept private data sent over Wi-Fi by other devices.”
After hacking the vacuum cleaner, the attacker could potentially access other devices on the network.
This Is Far From the First Report For an IoT Vulnerability
Commenting about the flaws, Leigh-Anne Galloway, the lead of Cyber Security Resilience, said,
“Like any other IoT device, these robot vacuum cleaners could be marshalled into a botnet for DDoS attacks, but that’s not even the worst-case scenario, at least for owners. Since the vacuum has Wi-Fi, a webcam with night vision, and smartphone-controlled navigation, an attacker could secretly spy on the owner.”
One may have never have thought of a vacuum cleaner turning into a spy a few decades ago, however this is something that we presume will just become more prevalent. We already have reported how hackers could exploit IP cameras from spying on you. Likewise, researchers disclosed how hackers could exploit flaws in DVRs and routers through a botnet.
The only way to protect oneself from IoT-based attacks is to have a proactive approach towards their prevention. We strongly recommend our readers to use IoT scanner tools, secure their WiFi and avoid having these devices externally accessible wherever possible.