Security researchers from Positive Technologies have released public details on two vulnerabilities affecting Dongguan Diqee 360 smart vacuum cleaners.
The two vulnerabilities allow an attacker to run malicious code on a device with superuser privileges and effectively take over the vacuum.
"Like any other IoT device, these robot vacuum cleaners could be marshaled into a botnet for DDoS attacks," said Leigh-Anne Galloway, Cyber Security Resilience lead at Positive Technologies.
"But that's not even the worst-case scenario, at least for owners," she adds. "Since the vacuum has Wi-Fi, a webcam with night vision, and smartphone-controlled navigation, an attacker could secretly spy on the owner."
The first bug can only be exploited by an authenticated attacker, but Positive Technologies says all Diqee 360 devices come with a default password of 888888 for the admin account, which very few users change, and which attackers can incorporate into their exploit chain.
The second vulnerability, the one which requires physical access, can be exploited to replace the device's firmware with a malicious version and requires only inserting a microSD card into the vacuum.
Credit for discovering the two vulnerabilities goes to Positive Tehcnologies researchers Leonid Krolle and Georgy Zaytsev.
Positive Technologies warns that the two vulnerabilities may also affect other Dongguan devices that use the same vulnerable code. This may include DVRs, surveillance cameras, and smart doorbells sold by the same company.
"Positive Technologies followed responsible disclosure practices and alerted the company to these vulnerabilities, allowing time for the flaws to be patched," a spokesperson told Bleeping Computer in an email today.
"Positive Technologies also submitted the vulnerabilities officially (see CVE-2018-10987 and CVE-2018-10987), and discussed the findings at its PHDays security forum in May, 2018," the spokesperson added. "Positive Technologies does not have any information about whether or not the vulnerabilities have been fixed to date."
A Dongguan spokesperson did not respond to a request for comment before this article's publication in regards to the availability of any patches.
This is the second time security researchers find a bug in a smart vacuum firmware that lets an attacker take over the device and spy on its owner. Check Point researchers discovered a similar bug affecting LG smart home appliances. In a video published last year, Check Point demoed the bug and showed how they used it to take over a camera-equipped smart vacuum and spy on its owner.