Two vulnerabilities were identified on IoT robot vacuum cleaners by Dongguan Diqee. Researchers were able to discover that these flaws could provide the ability to cybercriminals to spy on users, record them and steal sensitive and personal data.
The bugs were uncovered in Dongguan Diqee 360 robot vacuum cleaners and observed Wi-Fi network capabilities, a webcam, and mobile device-controlled navigation. According to security experts, these would enable control over the IoT vacuum and also the ability to eavesdrop, perform video surveillance, and intercept data from a private network.
According to cybersecurity resilience lead at Positive Technologies, IoT vacuum cleaners can also be combined into the botnet.
Like any other IoT device, these robot vacuum cleaners could be marshaled into a botnet for DDoS attacks, but that’s not even the worst-case scenario, at least for owners.
Two vulnerabilities detected into Diqee 360 vacuum cleaners
One of two vulnerabilities, CVE-2018-10987 is an issue in a remote code execution and resides in the REQUEST_SET_WIFIPASSWD feature of the device. It can be used in a botnet in order to mine bitcoin and also for DDoS attacks.
This vulnerability allows attackers to obtain superuser rights on the vacuum, meaning they can control it remotely, viewing video and images, and physically moving the vacuum.
A potential hacker can detect the device on the unsecured network by gathering its media access control also known as MAC address. And transfer a unique user datagram communications protocol also known as UDP request. As a result, the hacker can gain control of the %s variable.
In order to succeed, the attacker has to authenticate on the vacuum. However, this is easy as the vast majority of the devices have the same default username and password admin:888888.
When it comes to the second vulnerability, CVE-2018-10988, can not just enable the hacker to control the vacuum but also empowers to obtain unencrypted personal data, such as pictures, emails, videos that were transferred from other devices on the same network.
The vulnerability appears in the device’s update mechanism. What it makes it less dangerous that it needs a physical interaction in order to exploit the bug.
The vulnerabilities are officially submitted by Positive Technologies and the company was alerted on March 15, 2018.
Recommendations: update default credentials
However, there is no information about the fixes of mentioned vulnerabilities. Instead, Dongguan Diqee encourages users to change their default usernames and passwords.
Users can bind the device once they receive it and modify the password immediately after binding is completed and prevent others from listening with the default username and password. After modification, the default username and password are not effective.