The internet of things (IoT) has seen a string of vulnerabilities across multiple devices, the latest of which are new vulnerabilities in Dongguan Diqee 360 robotic vacuum cleaners, which could allow cybercriminals to eavesdrop, perform video surveillance and steal private data, according Positive Technologies.
Researchers Leonid Krolle and Georgy Zaytsev uncovered the Dongguan Diqee 360 security issues found on vacuums, which most likely affect not only those made by the company but those sold under other brand names as well. The devices affected by vulnerability CVE-2018-10987 are at risk of an authenticated remote code execution, potentially allowing an attacker to send a User Datagram Protocol (UDP) packet enabling them to execute commands on the vacuum cleaner as root.
A second vulnerability, CVE-2018-10988, involves a microSD card that reportedly could be used to exploit weaknesses in the vacuum's update mechanism. The researchers said that these vulnerabilities may also affect other IoT devices using the same video modules as Dongguan Diqee 360 vacuum cleaners. Such devices include outdoor surveillance cameras, DVRs, and smart doorbells.
That an authenticated attacker can gain access to the device in itself isn’t a major issue. “The difference is that this vacuum cleaner does not simply wander around the house, cleaning,” said Yotam Gutman, VP of marketing, SecuriThings. “It also serves as a mobile surveillance bot, with both day and night capabilities. Imagine that someone can get access to the device and watch the video feed, without the owners even realizing it. Even worse – someone can program the route of the device to drive around the house, filming the inside, which is very similar to what reconnaissance drones do in 'Star Wars' or other sci-fi movies."
"This is another incident/vulnerability that demonstrates just how hackable cheap connected devices are. Buyers of vacuum robots should really think if they want their nice little R2-D2-like helper to have reconnaissance capabilities.”
In related news, another vulnerability (CVE-2013-6117) has resurfaced despite being nearly five years old. Login passwords for tens of thousands of Dahua DVR devices were reportedly cached and indexed inside search results returned by IoT search engine ZoomEye.
Commenting on Twitter about the vulnerability, Ankit Anubhav, principal researcher at NewSky Security, wrote, “The attackers do not even need to write code to connect to the port as they can login to public scanner like ZoomEye which store the output of requests in their website and dump it.
“A new low has been achieved in the ease of hacking IoT devices. One does not even need to connect to the Dahua devices to get the credentials.”