Positive Technologies have discovered that the Dongguan Diqee 360, a Chinese smart vacuum cleaner that comes equipped with a remote for your smartphone and a camera that even supports night vision, has two pretty creepy security holes.
The first vulnerability is catalogued as CVE-2018-10987 and can be exploited remotely. This means that a cybercriminal who finds the electric pal in your network can access it if he manages to authenticate himself. Sadly that’s normally not too hard since most people never bother to change the default admin password.
Once authenticated it is easy enough for the crook to control it: “An authenticated attacker can send a specially crafted UDP packet, and execute commands on the vacuum cleaner as root. The bug is in the function REQUEST_SET_WIFIPASSWD (UDP command 153). A crafted UDP packet runs “/mnt/skyeye/mode_switch.sh %s” with an attacker controlling the %s variable.”
The second vulnerability is catalogued as CVE-2018-10988 and a bit trickier: here the hacker actually would need physical access to the Diqee 360. With malicious files placed on a microSD card that would then be inserted into the vacuum, the cleaner would run firmware files from the upgrade_360 folder with superuser rights – and without any digital signature check.
Right now there is no patch available to fix the issues, even though Positive Technologies has contacted the company and informed them about the vulnerability. Luckily there are some things you can do yourself to stay safe:
Change your password: One of the risks here is the users’ laziness – a lot of people just keep the default passwords when it comes to their smart devices. Make sure you do not make the same mistake. Change your passwords to a secure one ASAP.
Check your Smart Home for vulnerabilities: It is hard to keep track of all your smart home devices and their possible security holes. Luckily there are little helpers like Home Guard who will help you to check all your connected devices for vulnerabilities and alert you if anything goes awry.