The only thing that sucks more than this robotic vacuum is its security measures
The security flaw could allow someone to take over the device’s 360-degree camera remotely.
Researchers at Positive Technologies have discovered vulnerabilities affecting the Dongguan Diqee 360 lineup of robotic vacuum cleaners. The security flaw could allow someone to take over the device’s 360-degree camera remotely, according to TechCrunch.
According to the researchers, the remote code vulnerability, known as CVE-2018-10987, can give an attacker who obtains the device’s MAC address system admin privileges. The security hole is contained within the REQUEST_SET_WIFIPASSWD function and exploiting it requires authentication, though a default username and password combo is common (admin/888888).
These vacuum cleaners are equipped with a Wi-Fi a 360-degree camera for a mode known as “dynamic monitoring” that turns the machine into a home surveillance device.
As TechCrunch explains,
The researchers suspect that the vulnerability in the in Dongguan Diqee 360 robotic vacuum model might affect other products sharing the video module including outdoor surveillance video cameras, smart doorbells and DVRs. Diqee also manufactures vacuums sold under other brands as well and researchers suspect that those devices would also be affected by the vulnerability.
Positive Technologies also discovered another vulnerability affecting the vacuum cleaner model. CVE-2018-10988 requires physical access through the SD card slot to compromise the machine.
Although the organization did contact Diqee about both issues, no fix has yet been issued.
With any IoT device, privacy and security is always a concern. iRobot’s Roomba has had similar concerns brought up over the years, but nothing anywhere near this level (side note – see this detailed Roomba review series here)
Positive Technologies Cybersecurity Lead Leigh-Anne Galloway concludes,
Like any other IoT device, these robot vacuum cleaners could be marshalled into a botnet for DDoS attacks, but that’s not even the worst-case scenario, at least for owners.
Since the vacuum has Wi-Fi, a webcam with night vision, and smartphone-controlled navigation, an attacker could secretly spy on the owner and even use the vacuum as a ‘microphone on wheels’ for maximum surveillance potential.
If you own one of these robots, your best bet is to turn off Wi-Fi on the device until a bug fix is released. Otherwise, you’re setting yourself up to some risk.
Have you ever had a camera in your home hacked? What did you do about it?
For more tech news, check out:
- The quietly announced Nokia X5 features a 5.8″ screen and a notch
- Your new $3,000 i9-powered MacBook Pro is garbage
- Uber partners with Cargo to bribe riders with snacks and drivers with cash