Smart vacuum flaws could give hackers access to camera feed, say security researchers

Researchers at Checkmarx detail security issues discovered with a robot vacuum cleaner.
Written by Danny Palmer, Senior Writer

Security vulnerabilities in a brand of Internet of Things connected vacuum cleaner could allow hackers to gain access to devices, send commands and even monitor live video feeds recorded by the in-built cameras, according to security company researchers.

Researchers at cybersecurity Checkmarx said they have discovered the potential flaws in the Trifo Ironpie M6 smart vacuum cleaner and said they have contacted the manufacturer multiple times but have yet to receive a reply.

By exploiting vulnerabilities, hackers could potentially take control of a vacuum, as well as have the ability to monitor the live video feed produced by the device. Attackers could also gain access to internal mapping data of the area the cleaner patrols and information about the network it is on, potentially including the IP address and location.

"That's a lot of information," Erez Yalon, director of security research at Checkmarx, told ZDNet.

SEE: Cybersecurity in an IoT and mobile world (ZDNet special report) | Download the report as a PDF (TechRepublic)

The Trifo Ironpie is a robot vacuum cleaner, advertised as both a way of keeping carpets clean, and a means of keeping buildings safe from intruders, thanks to the built-in camera.

But researchers found that the camera be accessed, thanks to a combination of the servers communicating with the device lacking proper authentication mechanisms and insecure encryption that allows traffic to be sniffed.

Hacking a vacuum cleaner might sound like an annoyance more than a malicious attack, but it's also possible to combine this with remotely accessing the camera and snooping on live feeds, as well as access to mapping data produced by the Ironpie. 

While attackers would need to be local to a device to take physical control of it, all of the camera feeds can be accessed no matter where the attacker is. The attacker can even be in a different country, as was the case with this research. Researchers aren't fully detailing the vulnerabilities in an effort to protect users.

SEE: Ecovacs Deebot OSMO 920 hands-on: A multi-use robot vacuum with smart app features

"The most severe vulnerability, which would allow an attacker to gain access to a live video feed, house map, and possibly location, from any device, can be executed completely remotely," Yalon explained.

Checkmarx has been attempting to contact Trifo since December and has even sent a copy of the full vulnerability report, but there hasn't been a response or acknowledgement that the vulnerabilities have been noted. ZDNet has also attempted to contact Trifo but hasn't received a response.


Editorial standards