Cleaning your home is tedious, at least for most people. That’s probably why smart vacuum cleaners are becoming ever more popular and convenient with a plethora of new features: Smart phone control, video recording and streaming, you name it.
The Dongguan Diqee 360 is one of those vacuum cleaners – and it sports some serious security issues that can let strangers spy on you.
One cleaner, two security holes
Security researchers from Positive Technologies have discovered that the Dongguan Diqee 360, a Chinese smart vacuum cleaner that comes equipped with a remote for your smartphone and a camera that even supports night vision, has two pretty creepy security holes.
Security issue #1: The users’ laziness
The first vulnerability is catalogued as CVE-2018-10987 and can be exploited remotely. This means that a cybercriminal who finds the electric pal in your network can access it if he manages to authenticate himself. Sadly that’s normally not too hard since most people never bother to change the default admin password.
Once authenticated it is easy enough for the crook to control it: “An authenticated attacker can send a specially crafted UDP packet, and execute commands on the vacuum cleaner as root. The bug is in the function REQUEST_SET_WIFIPASSWD (UDP command 153). A crafted UDP packet runs “/mnt/skyeye/mode_switch.sh %s” with an attacker controlling the %s variable.”
Security issue #2: Malicious files on a SD card
The second vulnerability is catalogued as CVE-2018-10988 and a bit trickier: here the hacker actually would need physical access to the Diqee 360. With malicious files placed on a microSD card that would then be inserted into the vacuum, the cleaner would run firmware files from the upgrade_360 folder with superuser rights – and without any digital signature check.
Take action now
Right now there is no patch available to fix the issues, even though Positive Technologies has contacted the company and informed them about the vulnerability. Luckily there are some things you can do yourself to stay safe:
Change your password: One of the risks here is the users’ laziness – a lot of people just keep the default passwords when it comes to their smart devices. Make sure you do not make the same mistake. Change your passwords to a secure one ASAP.
Check your Smart Home for vulnerabilities: It is hard to keep track of all your smart home devices and their possible security holes. Luckily there are little helpers like Home Guard who will help you to check all your connected devices for vulnerabilities and alert you if anything goes awry.