View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
July 19, 2018updated 11 Jul 2022 6:15am

Nightvision Vacuum Cleaner’s Vulnerability Disclosed

Robot vacuum cleaners might not be as secure as you think.

By Umar Hassan

Robot vacuum cleaners are not immune from being vulnerable to cyberattacks as one London-based company has found.

Positive Technologies experts have uncovered security vulnerabilities within Chinese company Diqee’s robotic 360 vacuum cleaners.

It seems that vacuum cleaners don’t just clean up floors, but could also perform video surveillance and mop up your personal data.

Diqee’s robotic vacuum cleaner has a 360-degree video camera that can be used for video calls while being used for night surveillance.

The user can use Wi-Fi remote control by connecting their smartphone to the vacuum cleaner via an app.

Dynamic monitoring is featured on the vacuum which allows it to automatically monitor and take photos of the house while sending notifications to the phone in real-time.

What Are the Vulnerabilities?

There are a couple of vulnerabilities attackers can tap into the robotic vacuum cleaner that involves remote and physical access.

The first vulnerability involves remote code execution where an attacker can access the network by obtaining its MAC address and sending a UDP request to access the vacuum cleaner. Most of the affected Diqee robotic vacuum cleaners have a default username and password (admin: 888888) which makes it easier for an attacker to access.

Content from our partners
Why food manufacturers must pursue greater visibility and agility
How to define an empowered chief data officer
Financial management can be onerous for CFOs, but new tech is helping lighten the load

The second method involves attackers having physical access to a Diqee vacuum cleaner. A microSD card could be used to exploit weaknesses within the vacuum’s update mechanism.

When the card is inserted into the vacuum, it can run firmware files without needing a digital signature check. Hackers can create their own scripts and place it in a microSD card in the upgrade_360 folder and insert it, thus restarting the cleaner.

Leigh-Anne Galloway, Cyber Security Resilience Lead at Positive Technologies commented: “The majority of owners of IoT devices would not consider their items a security risk, although they could constitute a major vulnerability, which is why this discovery is key to drawing attention to the threats posed by IoT devices in general as well as this specific device.”

She added: “Like any other IoT device, these robot vacuum cleaners could be marshalled into a botnet for DDoS attacks, but that’s not even the worst-case scenario, at least for owners. Since the vacuum has Wi-Fi, a webcam with night vision, and smartphone-controlled navigation, an attacker could secretly spy on the owner and even use the vacuum as a ‘microphone on wheels’ for maximum surveillance potential.”

You’d get clean floors though.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy Policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications.
THANK YOU