We already know that robotic vacuum cleaners tend to have difficultly cleaning dog poop, but they sometimes need to do a better job cleaning up their code as well.
Case in point: Researchers at Positive Technologies today reported finding two code execution bugs in Dongguan Diqee 360 robotic vacuum cleaners made by China-based Diqee Intelligent (Henan) Corp., Ltd. The vacuums, which double as security monitoring devices that take photos of users' homes and send notifications to their phones, can reportedly be hijacked to perform video surveillance, and steal data and eavesdrop on audio.
Discovered by specialists Leonid Krolle and Georgy Zaytsev, the first vulnerability (CVE-2018-10987) enables remote code execution, and the second (CVE-2018-10988), allows for arbitrary code execution if the device is physically accessed. Additional smart vacuums manufactured by Diqee but sold under different brand names are likely also impacted, as may be other Internet of Things devices that use the same video modules as Dongguan Diqee 360 vacuums, including outdoor surveillance cameras, DVRs, and smart doorbells.
"Like any other IoT device, these robot vacuum cleaners could be marshaled into a botnet for DDoS attacks, but that's not even the worst-case scenario, at least for owners," said Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies, in a press release. "Since the vacuum has Wi-Fi, a webcam with night vision, and smartphone-controlled navigation, an attacker could secretly spy on the owner and even use the vacuum as a 'microphone on wheels' for maximum surveillance potential.”
CVE-2018-10987 reportedly exists in the vacuum's REQUEST_SET_WIFIPASSWD function (UDP command 153). "An attacker can discover the vacuum on the network by obtaining its MAC address and send a UDP request, which, if crafted in a specific way, results in execution of a command with superuser rights on the vacuum," the press release states. Although the actor first has to authenticate, this does not necessarily pose a difficult challenge, because some device owners never bother to change their default usernames and password combinations.
Meanwhile, attackers can exploit CVE-2018-1098 using a microSD card that's been sabotaged with a malicious script placed within the upgrade_360 folder. When the card is inserted, the vacuum's update mechanism fails to perform a digital signature check when accessing the upgrade_360 folder to perform a firmware update with superuser rights. When the vacuum is rebooted, the script can then execute its arbitrary code, "such as a sniffer to intercept private data sent over Wi-Fi by other devices," the report suggests.
A spokesperson for Positive Technologies told SC Media that the company "followed responsible disclosure practices, alerting [Diqee] on March 15, 2018. Positive Technologies also submitted the vulnerabilities officially... and discussed the findings at its PHDays security forum in May, 2018. Positive Technologies does not have any information about whether or not the vulnerabilities have been fixed to date."
Asked for comment, Diqee Intelligent (Henan) Corp., Ltd. sent SC Media an email response, noting that the first vulnerability can be solved by eliminating the default username and password problem, and adding that users "can bind the device once they receive it and modify the password immediately after binding completed and prevent others from listening with the default username and password. After modification, the default username and password are not effective." Diquee also claims the microSD card firmware update problem was fixed "by increasing the security mechanism."