Doctor, doctor, I feel like my IoT-enabled vacuum cleaner is spying on me

Snooping on the built-in cam? Remotely controlling it? Well, that sucks *ba-dum tsh*

Vulnerabilities in a range of robot vacuum cleaners allow miscreants to access the gadgets' camera, and remote-control the gizmos.

Security researchers at Positive Technologies (PT) this week disclosed that Dongguan Diqee 360 smart vacuum cleaners contain security flaws that hackers can exploit to snoop on people through the night-vision camera and mic, and take control of the Roomba rip-off.

Think of it as a handy little spy-on-wheels.

The security issues, discovered by PT's Leonid Krolle and Georgy Zaytsev, likely affect products sold under other brands as well.

The first vulnerability (CVE-2018-10987) involves remote code execution. A hacker can discover the vacuum on the same wireless network by obtaining its MAC address, and then send a UDP request, which, if crafted in a specific way, results in execution of a command with superuser rights on the vacuum. A miscreant must first log onto the device, but this process is trivial because many still have the default username and password combination (admin and 888888).

Attackers need physical access to exploit the second vulnerability (CVE-2018-10988). A microSD card could be used to exploit weaknesses in the vacuum's update mechanism.

Hackers could write an attack script and place it on a memory card in the upgrade_360 folder. If the vacuum is restarted with the SD card inserted, the appliance's update system installs files from the upgrade_360 folder into its firmware with superuser rights, without any digital signature or legitimacy checks.

This script could easily be a hacking utility or tool, such as a sniffer to intercept private data sent over Wi-Fi by other devices.

These vulnerabilities may also affect other IoT devices using the same video modules as the affected Dongguan Diqee 360 vacuum cleaners. Vulnerable kit includes outdoor surveillance cameras, DVRs, and smart doorbells, according to PT.

Leigh-Anne Galloway, cyber security resilience lead at PT, outlined the potential consequences of the vacuum's security shortcomings: "Since the vacuum has Wi-Fi, a webcam with night vision, and smartphone-controlled navigation, an attacker could secretly spy on the owner and even use the vacuum as a 'microphone on wheels' for maximum surveillance potential."

View through LG vacuum cleaner's cam

Smart? Don't ThinQ so! Hacked robo-vacuum could spy on your home


El Reg relayed PT's findings to Diqee along with a request for comment. We'll update this story as and when we hear more.

It's not the first time security researchers have warned that hacked robo-vacuum cleaners could spy on users' homes. Check Point went public with such a set of vulnerabilities in LG SmartThinQ smart home devices last October, shortly after the manufacturer had fixed the flaws.

We're reliably told by an IoT security expert that the Diqee case is something of an outlier and that the security of bigger brands' vacuum cleaners is these days "actually fairly secure".

Which is nice.

Eurocrats bottle it on IoT regulations

In related IoT insecurity news, security experts and consumer groups have slammed EU proposals to make security certification for IoT devices voluntary for consumer devices.

Ken Munro, a director of security consultancy Pen Test Partners, described the proposals as "yet another missed opportunity to sort out the mess of IoT".

Munro's criticisms are echoed by those of European consumer organisation BEUC. "The [EU] parliament regrettably missed an opportunity to establish mandatory security requirements for connected products such as smart watches, baby monitors or smart locks," it said.

Munro – who has hacked internet-connected devices ranging from so-called smart kettles to a Mitsubishi Outlander electric car – told El Reg that he was hopeful forthcoming UK IoT cyber-security guidelines would have more teeth. ®

Similar topics

Other stories you might like

  • Why Wi-Fi 6 and 6E will connect factories of the future
    Tech body pushes reliability, cost savings of next-gen wireless comms for IIoT – not a typo

    Wi-Fi 6 and 6E are being promoted as technologies for enabling industrial automation and the Industrial Internet of Things (IIoT) thanks to features that provide more reliable communications and reduced costs compared with wired network alternatives, at least according to the Wireless Broadband Alliance (WBA).

    The WBA’s Wi-Fi 6/6E for IIoT working group, led by Cisco, Deutsche Telekom, and Intel, has pulled together ideas on the future of networked devices in factories and written it all up in a “Wi-Fi 6/6E for Industrial IoT: Enabling Wi-Fi Determinism in an IoT World” manifesto.

    The detailed whitepaper makes the case that wireless communications has become the preferred way to network sensors as part of IIoT deployments because it's faster and cheaper than fiber or copper infrastructure. The alliance is a collection of technology companies and service providers that work together on developing standards, coming up with certifications and guidelines, advocating for stuff that they want, and so on.

    Continue reading
  • AMD refreshes Ryzen Embedded line with R2000 series
    The target? Thin clients and industrial devices – with new SoC family running up to 4 independent displays

    Embedded World AMD is bringing to market a new generation of Ryzen chips for embedded apps promising more CPU cores, enhanced built-in graphics and expanded I/O connectivity to drive kit such as IoT devices and thin clients.

    Crucially, AMD plans to make the R2000 Series available for up to 10 years, providing OEM customers with a long-lifecycle support roadmap. This is an important aspect for components in embedded systems, which may be operating in situ for longer periods than the typical three to five-year lifecycle of corporate laptops and servers.

    The Ryzen Embedded R2000 Series is AMD's second-generation of mid-range system-on-chip (SoC) processors that combine CPU cores plus Radeon graphics, and target a range of embedded systems such as industrial and robotic hardware, machine vision, IoT and thin client devices. The first, R1000, came out in 2019.

    Continue reading
  • DeadBolt ransomware takes another shot at QNAP storage
    Keep boxes updated and protected to avoid a NAS-ty shock

    QNAP is warning users about another wave of DeadBolt ransomware attacks against its network-attached storage (NAS) devices – and urged customers to update their devices' QTS or QuTS hero operating systems to the latest versions.

    The latest outbreak – detailed in a Friday advisory – is at least the fourth campaign by the DeadBolt gang against the vendor's users this year. According to QNAP officials, this particular run is encrypting files on NAS devices running outdated versions of Linux-based QTS 4.x, which presumably have some sort of exploitable weakness.

    The previous attacks occurred in January, March, and May.

    Continue reading

Biting the hand that feeds IT © 1998–2022