The camera of the Chinese-made Diqee Camera Robotic Vacuum Cleaner, intended to be a home security feature, can be compromised, giving hackers the ability to view footage as they drive the device around your home.
While some high-end robotic vacuums, like the iRobot Roomba 980, use a camera to help them navigate their surroundings, the Diqee uses a camera to turn the device into a surveillance system. The idea is, as the vacuum charges its batteries or drives around your home to clean the carpets, you can remotely view the camera feed to check in on your property.
- MyFitnessPal hack hits 150 million users
- Over two-thirds of us fear IoT devices will be hacked
- How to fish tank thermometer let hackers access a casino's high-roller database
Now, however, security researchers have found the robotic vacuum is susceptible to two different hacks. The first gives hackers 'superuser rights' over the device, letting them control it and remotely drive it around your home, which is pretty creepy. The second vulnerability allows hackers to view footage from the camera.
Researchers from Positive Technologies, an international cybersecurity firm headquartered in Boston, US discovered the flaws, which it claims likely affect other products made by Diqee - like video doorbells and security cameras - and also devices it produces for other brands.
Leigh-Anne Galloway, leader of the firm's Cyber Security Resilience division, said: "Like any other IoT device, these robot vacuum cleaners could be marshalled into a botnet for DDoS attacks, but that's not even the worst-case scenario, at least for owners. Since the vacuum has Wi-Fi, a webcam with night vision, and smartphone-controlled navigation, an attacker could secretly spy on the owner."
Positive Technologies explains how 'superuser rights' can be obtained remotely and without physical access to the vacuum cleaner - a process made easier because the default login details use the name 'admin' and the password '888888'.
To take control of the camera, however, hackers need physical access to the robot - and enough time to fit a microSD card loaded with firmware which can be installed "without any digital security check". Slotting in the card and restarting the device causes it to perform a software update, wilfully installing the malicious software without performing any checks.
After this, hackers would have control of the robot's movements, access to its camera feed, and a way to start secretly attacking other devices on the same Wi-Fi network, Positive Technologies said.
In October 2017, security researchers from Check Point discovered a similar vulnerability with robotic vacuum cleaners produced by LG, where hackers could take control of the Hom-Bot device and access a live video stream from its camera. Affecting LG's ThinQ smart home system, the vulnerability made it possible to control other connected devices too, like smart dishwashers and washing machines.