It would be unbelievable but it is True, Cyber Security firm found vulnerabilities in Diqee Camera Robotic Vacuum Cleaner. It could be hijacked by Hackers to intercept your Wi-Fi network and allow cyber attackers to convert your Vacuum Cleaner into video surveillance mode.
What is Diqee Camera Robotic Vacuum Cleaner?
This Vacuum cleaner have size advantages with Video Call, Wi-Fi remote control, 360 degrees Camera features with Night vision using photoelectric detection and imaging technology. The user can use Vacuum cleaner via its app and control by connecting Wi-Fi using their smartphones.
What are Vulnerabilities inside Robotic Vacuum?
According to security experts of Positive technology, the researchers found two vulnerabilities, the first Bug is Remote Code Execution (RCE) that place in REQUEST_SET_WIFIPASSWD function (UDP command 153) of the vacuum.
An attacker can discover the vacuum on the network by obtaining its MAC address and send a UDP request, which, if crafted in a specific way, results in the execution of a command with superuser rights on the vacuum.
To exploit the second bug attackers need physical access. A microSD card could be used to exploit weaknesses in the vacuum’s update mechanism. After the card is inserted, the vacuum update system runs firmware files from the upgrade_360 folder with superuser rights, without any digital signature check.
Therefore, a hacker could create a special script, place it on a microSD card in the upgrade_360 folder, insert this card, and restart the vacuum. This script could run arbitrary code, such as a sniffer to intercept private data sent over Wi-Fi by other devices.
Vulnerability in Internet of Things (IoT) devices finds many times including the same security firm found a critical vulnerability in the firmware of Dahua IP cameras, which are using for video surveillance in banking, energy, telecommunications, transportation, and smart homes. Attackers could have exploited the vulnerability to intercept and modify video traffic from an enormous number of IP cameras worldwide.
Last month we have reported, the Security Researchers of VDOO found Zero Day Vulnerability in IoT Products. A Company found vulnerable devices in Axis Security cameras. The vulnerabilities allow an adversary that obtained the camera’s IP address to remotely take over the cameras (via LAN or internet).