Sign up for our newsletter - Navigating the horizon of business technology​
Technology / Cybersecurity

Nightvision Vacuum Cleaner’s Vulnerability Disclosed

Robot vacuum cleaners are not immune from being vulnerable to cyberattacks as one London-based company has found.

Positive Technologies experts have uncovered security vulnerabilities within Chinese company Diqee’s robotic 360 vacuum cleaners.

It seems that vacuum cleaners don’t just clean up floors, but could also perform video surveillance and mop up your personal data.

Diqee’s robotic vacuum cleaner has a 360-degree video camera that can be used for video calls while being used for night surveillance.

White papers from our partners

The user can use Wi-Fi remote control by connecting their smartphone to the vacuum cleaner via an app.

Dynamic monitoring is featured on the vacuum which allows it to automatically monitor and take photos of the house while sending notifications to the phone in real-time.

spy hoover
An illustration of the hoover from Diqee’s marketing collateral

What Are the Vulnerabilities?

There are a couple of vulnerabilities attackers can tap into the robotic vacuum cleaner that involves remote and physical access.

The first vulnerability involves remote code execution where an attacker can access the network by obtaining its MAC address and sending a UDP request to access the vacuum cleaner. Most of the affected Diqee robotic vacuum cleaners have a default username and password (admin: 888888) which makes it easier for an attacker to access.

The second method involves attackers having physical access to a Diqee vacuum cleaner. A microSD card could be used to exploit weaknesses within the vacuum’s update mechanism.

When the card is inserted into the vacuum, it can run firmware files without needing a digital signature check. Hackers can create their own scripts and place it in a microSD card in the upgrade_360 folder and insert it, thus restarting the cleaner.

Leigh-Anne Galloway, Cyber Security Resilience Lead at Positive Technologies commented: “The majority of owners of IoT devices would not consider their items a security risk, although they could constitute a major vulnerability, which is why this discovery is key to drawing attention to the threats posed by IoT devices in general as well as this specific device.”

She added: “Like any other IoT device, these robot vacuum cleaners could be marshalled into a botnet for DDoS attacks, but that’s not even the worst-case scenario, at least for owners. Since the vacuum has Wi-Fi, a webcam with night vision, and smartphone-controlled navigation, an attacker could secretly spy on the owner and even use the vacuum as a ‘microphone on wheels’ for maximum surveillance potential.”

You’d get clean floors though.
This article is from the CBROnline archive: some formatting and images may not be present.