These Vacuum Cleaner Vulnerabilities Are The New IoT Nightmare
Cybersecurity researchers have detected a couple of vulnerabilities in an IoT vacuum cleaner lineup that could let hackers spy on the victims, perform video surveillance, and even steal their sensitive personal data—all without ever turning it on. Leonid Krolle and Georgy Zaytsev, two researchers at Positive Technologies, have uncovered the vulnerabilities in the Dongguan Diqee 360 robotic vacuum cleaners. A news release from Positive Technology suggests the security issues, which have been detected on Dongguan Diqee-branded vacuums, could possibly affect those made by the company and sold under other brands as well.
The release also explains how vacuum cleaners, like any other IoT device, could feasibly be used by cybercriminals to execute certain DDoS attacks. Leigh-Anne Galloway, Cyber Security Resilience lead at Positive Technologies, is quoted as saying, “The majority of owners of IoT devices would not consider their items a security risk, although they could constitute a major vulnerability, which is why this discovery is key to drawing attention to the threats posed by IoT devices in general as well as this specific device. Like any other IoT device, these robot vacuum cleaners could be marshaled into a botnet for DDoS attacks, but that’s not even the worst-case scenario, at least for owners. Since the vacuum has wi-fi, a webcam with night vision, and smartphone-controlled navigation, an attacker could secretly spy on the owner.”
The first detected vulnerability, CVE-2018-10987, is believed to have remote code execution. The Positive Technologies news release explains more, “An attacker can discover the vacuum on the network by obtaining its MAC address and sending a UDP request, which, if crafted in a specific way, can result in the execution of a command with superuser rights on the vacuum. The vulnerability resides in the REQUEST_SET_WIFIPASSWD function (UDP command 153). To succeed, the attacker must authenticate on the device—which is made easier by the fact that many affected devices have the default username and password combination (admin:888888).”
The second vulnerability, CVE-2018-10988, needs physical access to be exploited. The news release explains, “A microSD card could be used to exploit weaknesses in the vacuum’s update mechanism. After the card is inserted, the vacuum update system runs firmware files from the upgrade_360 folder with superuser rights, without any digital signature check. Therefore, a hacker could create a special script, place it on a microSD card in the upgrade_360 folder, insert this card, and restart the vacuum. This script could run arbitrary code, such as a sniffer to intercept private data sent over wi-fi by other devices.”
The two vulnerabilities, it’s reported, could also infect other IoT devices using the same video modules as Dongguan Diqee 360 vacuum cleaners; these include outdoor surveillance cameras, DVRs, and smart doorbells. It’s also been reported that Positive Technologies has alerted Dongguan Diqee about the vulnerabilities, although whether or not the bugs have been repaired yet is unclear. In 2017, Positive Technologies detected a critical vulnerability in the firmware of the Dahua IP cameras, which are used extensively for surveillance in smart homes and also in the banking, energy, telecommunications, transportation sectors. Given the popularity of IoT devices in today’s society, these vulnerabilities should be taken seriously.
Julia Sowells960 Posts
Julia Sowells has been a technology and security professional. For a decade of experience in technology, she has worked on dozens of large-scale enterprise security projects, and even writing technical articles and has worked as a technical editor for Rural Press Magazine. She now lives and works in New York, where she maintains her own consulting firm with her role as security consultant while continuing to write for Hacker Combat in her limited spare time.