Security researchers from Positive Technologies have released public details on two vulnerabilities affecting Dongguan Diqee 360 smart vacuum cleaners.

The two vulnerabilities allow an attacker to run malicious code on a device with superuser privileges and effectively take over the vacuum.

"Like any other IoT device, these robot vacuum cleaners could be marshaled into a botnet for DDoS attacks," said Leigh-Anne Galloway, Cyber Security Resilience lead at Positive Technologies.

"But that's not even the worst-case scenario, at least for owners," she adds. "Since the vacuum has Wi-Fi, a webcam with night vision, and smartphone-controlled navigation, an attacker could secretly spy on the owner."

Technical details published today

The two vulnerabilities are CVE-2018-10987 and CVE-2018-10988. The first one can be exploited remotely, while the second needs physical access to the device.

The first bug can only be exploited by an authenticated attacker, but Positive Technologies says all Diqee 360 devices come with a default password of 888888 for the admin account, which very few users change, and which attackers can incorporate into their exploit chain.

An authenticated attacker can send a specially crafted UDP packet, and execute commands on the vacuum cleaner as root. The bug is in the function REQUEST_SET_WIFIPASSWD (UDP command 153). A crafted UDP packet runs "/mnt/skyeye/mode_switch.sh %s" with an attacker controlling the %s variable.

The second vulnerability, the one which requires physical access, can be exploited to replace the device's firmware with a malicious version and requires only inserting a microSD card into the vacuum.

A firmware update process, integrated into the firmware, starts at boot and tries to find the update folder on the microSD card. It executes code, without a digital signature, as root from the /mnt/sdcard/$PRO_NAME/upgrade.sh or /sdcard/upgrage_360/upgrade.sh pathname.

Credit for discovering the two vulnerabilities goes to Positive Tehcnologies researchers Leonid Krolle and Georgy Zaytsev.

Positive Technologies warns that the two vulnerabilities may also affect other Dongguan devices that use the same vulnerable code. This may include DVRs, surveillance cameras, and smart doorbells sold by the same company.

No information available on patches

"Positive Technologies followed responsible disclosure practices and alerted the company to these vulnerabilities, allowing time for the flaws to be patched," a spokesperson told Bleeping Computer in an email today.

"Positive Technologies also submitted the vulnerabilities officially (see CVE-2018-10987 and CVE-2018-10987), and discussed the findings at its PHDays security forum in May, 2018," the spokesperson added. "Positive Technologies does not have any information about whether or not the vulnerabilities have been fixed to date."

A Dongguan spokesperson did not respond to a request for comment before this article's publication in regards to the availability of any patches.

This is the second time security researchers find a bug in a smart vacuum firmware that lets an attacker take over the device and spy on its owner. Check Point researchers discovered a similar bug affecting LG smart home appliances. In a video published last year, Check Point demoed the bug and showed how they used it to take over a camera-equipped smart vacuum and spy on its owner.