SECURITY RESEARCHERS have found a security flaw in a robotic vacuum cleaner, proving that absolutely nothing is safe these days if it connects to the internet.
The vulnerability was uncovered by enterprise security company Positive Technologies and found to be affecting the Chinese maker Dongguan's Diqee 360 range of robotic vacuum cleaners.
Controlled via a smartphone, the smart suckers are connected to the internet via WiFi and sport a 360-degree camera for a mode known as "dynamic monitoring" that sees the machine double up as a home surveillance device. It's this feature that could enable hackers to compromise the device and spy on users.
The remote code vulnerability is called CVE-2018-10987 and if compromised can give up access hackers who obtain the device's MAC address system admin privileges.
Posted on GitHub, it reads: "The affected vacuum cleaners suffer from an authenticated remote code execution vulnerability. An authenticated attacker can send a specially crafted UDP packet, and execute commands on the vacuum cleaner as root.
"The bug is in the function REQUEST_SET_WIFIPASSWD (UDP command 153). A crafted UDP packet runs "/mnt/skyeye/mode_switch.sh %s" with an attacker controlling the %s variable. In some cases, authentication can be achieved with the default password of 888888 for the admin account."
Basically, the vulnerability lies in the function to set a WiFi password, where cyber crooks can easily gain and take charge of the device by entering the default username and password combination (admin:888888), which the manufacturer does not change.
Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies commented: "The majority of owners of IoT devices would not consider their items a security risk, although they could constitute a major vulnerability, which is why this discovery is key to drawing attention to the threats posed by IoT devices in general as well as this specific device."
"Like any other IoT device, these robot vacuum cleaners could be marshalled into a botnet for DDoS attacks, but that's not even the worst-case scenario, at least for owners," she added.
"Since the vacuum has WiFi, a webcam with night vision, and smartphone-controlled navigation, an attacker could secretly spy on the owner and even use the vacuum as a ‘microphone on wheels' for maximum surveillance potential." µ
Qubit off more than you could chew
Fox? Roadrunner more like
Sharkstooth CPU promises some bite
But there's no Play Store access or Google services