Doctor, doctor, I feel like my IoT-enabled vacuum cleaner is spying on me

Snooping on the built-in cam? Remotely controlling it? Well, that sucks *ba-dum tsh*

Cat stares at vacuum cleaner robot. Photo by shutterstock

Vulnerabilities in a range of robot vacuum cleaners allow miscreants to access the gadgets' camera, and remote-control the gizmos.

Security researchers at Positive Technologies (PT) this week disclosed that Dongguan Diqee 360 smart vacuum cleaners contain security flaws that hackers can exploit to snoop on people through the night-vision camera and mic, and take control of the Roomba rip-off.

Think of it as a handy little spy-on-wheels.

The security issues, discovered by PT's Leonid Krolle and Georgy Zaytsev, likely affect products sold under other brands as well.

The first vulnerability (CVE-2018-10987) involves remote code execution. A hacker can discover the vacuum on the same wireless network by obtaining its MAC address, and then send a UDP request, which, if crafted in a specific way, results in execution of a command with superuser rights on the vacuum. A miscreant must first log onto the device, but this process is trivial because many still have the default username and password combination (admin and 888888).

Attackers need physical access to exploit the second vulnerability (CVE-2018-10988). A microSD card could be used to exploit weaknesses in the vacuum's update mechanism.

Hackers could write an attack script and place it on a memory card in the upgrade_360 folder. If the vacuum is restarted with the SD card inserted, the appliance's update system installs files from the upgrade_360 folder into its firmware with superuser rights, without any digital signature or legitimacy checks.

This script could easily be a hacking utility or tool, such as a sniffer to intercept private data sent over Wi-Fi by other devices.

These vulnerabilities may also affect other IoT devices using the same video modules as the affected Dongguan Diqee 360 vacuum cleaners. Vulnerable kit includes outdoor surveillance cameras, DVRs, and smart doorbells, according to PT.

Leigh-Anne Galloway, cyber security resilience lead at PT, outlined the potential consequences of the vacuum's security shortcomings: "Since the vacuum has Wi-Fi, a webcam with night vision, and smartphone-controlled navigation, an attacker could secretly spy on the owner and even use the vacuum as a 'microphone on wheels' for maximum surveillance potential."

View through LG vacuum cleaner's cam

Smart? Don't ThinQ so! Hacked robo-vacuum could spy on your home

READ MORE

El Reg relayed PT's findings to Diqee along with a request for comment. We'll update this story as and when we hear more.

It's not the first time security researchers have warned that hacked robo-vacuum cleaners could spy on users' homes. Check Point went public with such a set of vulnerabilities in LG SmartThinQ smart home devices last October, shortly after the manufacturer had fixed the flaws.

We're reliably told by an IoT security expert that the Diqee case is something of an outlier and that the security of bigger brands' vacuum cleaners is these days "actually fairly secure".

Which is nice.

Eurocrats bottle it on IoT regulations

In related IoT insecurity news, security experts and consumer groups have slammed EU proposals to make security certification for IoT devices voluntary for consumer devices.

Ken Munro, a director of security consultancy Pen Test Partners, described the proposals as "yet another missed opportunity to sort out the mess of IoT".

Munro's criticisms are echoed by those of European consumer organisation BEUC. "The [EU] parliament regrettably missed an opportunity to establish mandatory security requirements for connected products such as smart watches, baby monitors or smart locks," it said.

Munro – who has hacked internet-connected devices ranging from so-called smart kettles to a Mitsubishi Outlander electric car – told El Reg that he was hopeful forthcoming UK IoT cyber-security guidelines would have more teeth. ®




Biting the hand that feeds IT © 1998–2018