Hacker’s spy on owner’s of Diqee 360 smart vacuum with recent vulnerability

Security researchers from Positive Technologies have released public details on two vulnerabilities affecting Dongguan Diqee 360 smart vacuum cleaners.

The two vulnerabilities allow an attacker to run malicious code on a device with superuser privileges and effectively take over the vacuum.

“Like any other IoT device, these robot vacuum cleaners could be marshaled into a botnet for DDoS attacks,” said Leigh-Anne Galloway, Cyber Security Resilience lead at Positive Technologies.

“But that’s not even the worst-case scenario, at least for owners,” she adds. “Since the vacuum has Wi-Fi, a webcam with night vision, and smartphone-controlled navigation, an attacker could secretly spy on the owner.”

  1. The remote code vulnerability, known as CVE-2018-10987, can give an attacker who obtains the device’s MAC address system admin privileges. According to the report, the vulnerability is contained within the REQUEST_SET_WIFIPASSWD function and exploiting it requires authentication, though a default username and password combo is common (admin/888888).          The researchers suspect that the vulnerability in the Dongguan Diqee 360 robotic vacuum model might affect other products sharing the video module, including outdoor surveillance video cameras, smart door bells and DVR. Diqee also manufactures vacuums sold under other brands, as well, and researchers suspect that those devices would also be affected by the vulnerability.
  2. Positive Technologies noted a second vulnerability, known as CVE-2018-10988, also affects the vacuum model, though it requires physical access through the SD card slot to compromise the machine.

The vacuum does come equipped with a privacy protection cover — a physical barrier for the camera that “solves the privacy leakage from hardware” according to the manufacturer. Positive Technologies informed the manufacturer of the vulnerability, although no information is available yet about a patch.

This is the second time security researchers find a bug in a smart vacuum firmware that lets an attacker take over the device and spy on its owner. Check Point researchers discovered a similar bug affecting LG smart home appliances. In a video published last year, Check Point demoed the bug and showed how they used it to take over a camera-equipped smart vacuum and spy on its owner.

Asked for comment, Diqee Intelligent (Henan) Corp., Ltd. sent SC Media an email response, nothing that the first vulnerability can be solved by eliminating the default username and password problem, and adding that users “can bind the device once they receive it and modify the password immediately after binding completed and prevent others from listening with the default username and password. After modification, the default username and password are not effective.” Diqee also claims the micro SD card firmware update problem was fixed “by increasing the security mechanism.”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.