Hackers could exploit flaws in Diqee 360 smart vacuum cleaners to spy on owners

• The two vulnerabilities are tracked as CVE-2018-10987 and CVE-2018-10988.
• The flaws could allow attackers to eavesdrop, perform video surveillance and steal private data from victims.

Security researchers have discovered vulnerabilities in a connected vacuum cleaner that could allow attackers to eavesdrop, perform video surveillance and even steal victims’ private data.

According to researchers at Positive Technologies, two vulnerabilities - CVE-2018-10987 and CVE-2018-10988 - were discovered in Dongguan Diqee 360 vacuum cleaners. These particular robot vacuum cleaners come with a slew of interesting features including an onboard camera, night vision, smartphone-controlled navigation controls and Wi-Fi capabilities.

Like most other IoT devices, these vacuum cleaners could potentially be hijacked and ensnared into a botnet for DDoS attacks. However, hackers could exploit the connected vacuum’s numerous features to secretly spy on its owner.

Critical flaws

The first bug (CVE-2018-10987) is a remote code execution vulnerability that resides in the REQUEST_SET_WIFIPASSWD function (UDP command 153) of the device.

“An attacker can discover the vacuum on the network by obtaining its MAC address and send a UDP request, which, if crafted in a specific way, results in execution of a command with superuser rights on the vacuum,” Positive Technologies researchers wrote in a blog post.

Hackers would need to have physical access to the device to exploit the second vulnerability - CVE-2018-10988. The flaw can be exploited by replacing the device’s firmware with a malicious version by inserting a microSD into the vacuum. An attacker could leverage this exploit to steal unencrypted data such as photos, videos, emails and other data sent from other devices on the same Wi-Fi network that the vacuum is connected to.

“After the card is inserted, the vacuum update system runs firmware files from the upgrade_360 folder with superuser rights, without any digital signature check,” researchers said. “Therefore, a hacker could create a special script, place it on a microSD card in the upgrade_360 folder, insert this card, and restart the vacuum. This script could run arbitrary code, such as a sniffer to intercept private data sent over Wi-Fi by other devices.”

IoT security

Positive Technologies researchers alerted Chinese supplier Dongguan Diqee about these vulnerabilities on March 15, 2018. However, it is still unclear whether or not the vulnerabilities have been fixed to date.

The researchers also noted that these vulnerabilities may also affect other IoT devices such as outdoor surveillance cameras, DVRs and smart doorbells.