The user can use Wi-Fi remote control by connecting their smartphone to the vacuum cleaner via an app.
Dynamic monitoring is featured on the vacuum which allows it to automatically monitor and take photos of the house while sending notifications to the phone in real-time.
What Are the Vulnerabilities?
There are a couple of vulnerabilities attackers can tap into the robotic vacuum cleaner that involves remote and physical access.
The first vulnerability involves remote code execution where an attacker can access the network by obtaining its MAC address and sending a UDP request to access the vacuum cleaner. Most of the affected Diqee robotic vacuum cleaners have a default username and password (admin: 888888) which makes it easier for an attacker to access.
The second method involves attackers having physical access to a Diqee vacuum cleaner. A microSD card could be used to exploit weaknesses within the vacuum’s update mechanism.
When the card is inserted into the vacuum, it can run firmware files without needing a digital signature check. Hackers can create their own scripts and place it in a microSD card in the upgrade_360 folder and insert it, thus restarting the cleaner.
Leigh-Anne Galloway, Cyber Security Resilience Lead at Positive Technologies commented: “The majority of owners of IoT devices would not consider their items a security risk, although they could constitute a major vulnerability, which is why this discovery is key to drawing attention to the threats posed by IoT devices in general as well as this specific device.”
She added: “Like any other IoT device, these robot vacuum cleaners could be marshalled into a botnet for DDoS attacks, but that’s not even the worst-case scenario, at least for owners. Since the vacuum has Wi-Fi, a webcam with night vision, and smartphone-controlled navigation, an attacker could secretly spy on the owner and even use the vacuum as a ‘microphone on wheels’ for maximum surveillance potential.”
You’d get clean floors though.
This article is from the CBROnline archive: some formatting and images may not be present.
Join Our Newsletter
Want more on technology leadership?
Sign up for Tech Monitor's weekly newsletter, Changelog, for the latest insight and analysis delivered straight to your inbox.