Multiple security flaw in Dongguan Diqee 360 robotic vacuum cleaners

Positive Technologies experts have discovered vulnerabilities in smart vacuum cleaners produced by Dongguan Diqee 360 manufacturers, allowing attackers to control devices that are already connected remotely.

Through security breaches, an attacker can directly remotely control the smart vacuum cleaners and monitor the network flow of other devices in the LAN where robotic vacuum cleaners located.

Objectively speaking, the security vulnerability discovered this time is not a very serious level, because the attacker must obtain the account and password of the robotic vacuum cleaners firmware.

Unfortunately, most users have not changed their passwords at all:

There is a UDP command in the built-in networking module in the firmware of the robotic vacuum cleaners. The attacker can find the device on the network through the hardware address of the smart vacuum cleaners.

If you scan it, you only need to send a UDP request to execute the remote command with superuser privileges, but the attacker also requires to log in to the device.

However, most users have not changed the default name and password after purchasing the smart vacuum cleaners, so the attacker only needs to log in to the device through the default account.

The attacker can remotely monitor the user:

The most significant harm of this vulnerability is the camera function that comes with the smart vacuum cleaners because the attacker can control the life of the users at home through the camera function.

The original Sweeper camera function is to help users control the movement and shooting scene, but after all, the attacker can completely control the device and thus monitor it.

Fortunately, the camera of the smart vacuum cleaners can shoot a limited scene and therefore cannot sufficiently monitor the user, so changing the password in time is a must.

Used to mine or monitor LAN traffic:

There is also a security vulnerability in the firmware update mechanism of the robotic vacuum cleaners, but it is more difficult to physically touch the Sweeper if you want to exploit this vulnerability.

An attacker can embed a malicious program in the update folder of the smart vacuum cleaners’ memory card and then use it to mine or hijack the network stream based on malware.

The researchers believe that the above two security vulnerabilities may affect IoT devices that use the same modules as the smart vacuum cleaners, including robotic doorbells and surveillance cameras.

Therefore, whether it is the robotic vacuum cleaners machine produced by Dongguan or other brands of robotic Vacuums machines produced by Dongguan, it is necessary to change the password in time to improve the safety of the equipment.

Also, there is no news about this incident until now, and it is reasonable to say that the company should immediately release a new version of the firmware to fix the above security vulnerabilities.