Hacker’s spy on owner’s of Diqee 360 smart vacuum with recent vulnerability
Security researchers from Positive Technologies have released public details on two vulnerabilities affecting Dongguan Diqee 360 smart vacuum cleaners.
The two vulnerabilities allow an attacker to run malicious code on a device with superuser privileges and effectively take over the vacuum.
“Like any other IoT device, these robot vacuum cleaners could be marshaled into a botnet for DDoS attacks,” said Leigh-Anne Galloway, Cyber Security Resilience lead at Positive Technologies.
“But that’s not even the worst-case scenario, at least for owners,” she adds. “Since the vacuum has Wi-Fi, a webcam with night vision, and smartphone-controlled navigation, an attacker could secretly spy on the owner.”
- The remote code vulnerability, known as CVE-2018-10987, can give an attacker who obtains the device’s MAC address system admin privileges. According to the report, the vulnerability is contained within the REQUEST_SET_WIFIPASSWD function and exploiting it requires authentication, though a default username and password combo is common (admin/888888). The researchers suspect that the vulnerability in the Dongguan Diqee 360 robotic vacuum model might affect other products sharing the video module, including outdoor surveillance video cameras, smart door bells and DVR. Diqee also manufactures vacuums sold under other brands, as well, and researchers suspect that those devices would also be affected by the vulnerability.
- Positive Technologies noted a second vulnerability, known as CVE-2018-10988, also affects the vacuum model, though it requires physical access through the SD card slot to compromise the machine.
The vacuum does come equipped with a privacy protection cover — a physical barrier for the camera that “solves the privacy leakage from hardware” according to the manufacturer. Positive Technologies informed the manufacturer of the vulnerability, although no information is available yet about a patch.
This is the second time security researchers find a bug in a smart vacuum firmware that lets an attacker take over the device and spy on its owner. Check Point researchers discovered a similar bug affecting LG smart home appliances. In a video published last year, Check Point demoed the bug and showed how they used it to take over a camera-equipped smart vacuum and spy on its owner.