We live in a great time with so many helpful devices. They help us in our daily lives to make things easier and faster and take care of mundane tasks for us. But sometimes they can also make things worse, like in the case of a robot vacuum that could be spying on you.
The Surveillance Vacuum
Researchers with Positive Technologies, an enterprise security company, have found vulnerabilities with the Dongguan Diqee 360 robotic vacuum cleaners.
The Chinese smart home manufacturer Diqee equips these vacuums with Wi-Fi and a 360-degree camera with a mode they refer to as “dynamic monitoring.” It turns your vacuum into a device that can spy on you. You just had some dirty floors, but now you have something all-new to worry about.
Because of CVE-2018-10987, the remote code vulnerability, an attacker can access the device’s MAC address system admin privileges. The vulnerability rests within the REQUEST_SET_WIFIPASSWD function. While it requires authentication, that can be done with the default username and password.
It might not just affect robotic vacuums, either, as researchers suggest it could also affect other products that use the same video module, such as surveillance cameras, smart doorbells, and DVRs. The company also sells other vacuums under a different brand name.
A second vulnerability, CVE-2018-10988, can affect this robotic vacuum as well, but it requires physical access through an SD card slot.
To help with the vulnerability, the vacuum does have a privacy protection cover for the camera that they claim “solves the privacy leakage from hardware.” Yet Positive Technologies still considers the vacuum to have a vulnerability.
“Like any other IoT device, these robot vacuum cleaners could be marshaled into a botnet for DDoS attacks, but that’s not even the worst-case scenario, at least for owners,” said Leigh-Anne Galloway, Positive Technologies Cybersecurity lead.
“Since the vacuum has Wi-Fi, a webcam with night vision, and smartphone-controlled navigation, an attacker could secretly spy on the owner and even use the vacuum as a ‘microphone on wheels’ for maximum surveillance potential.”
As great as it is to have smart home products, many of them come with hazards in the way of liabilities. Many aren’t secure, and microphones and cameras only complicate it that much more.
The immediate question you need to ask yourself when buying a robotic vacuum is if you really need those “extras.” Do you need it to have a night vision webcam? How much vacuuming are you doing in the dark? Do you need to be able to navigate it with your smartphone?
It’s just not a surprising turn of events. Any time you welcome an IoT product into your home, you’re welcoming vulnerabilities, and the cameras, microphones, etc., just make it that much more dangerous, when all you’re trying to do is keep your house clean.
Make sure you know the hazards before you buy such a device. It just can’t be said enough. Whatever you would gain from having a camera on your vacuum cleaner most likely isn’t worth the loss of privacy.
Do you have a robotic vacuum? Does it have these vulnerabilities? Or would you never buy one specifically because of these vulnerabilities? Let us know what you think in the comments section.
Image Credit: TechCrunch