Security researchers from Positive Technologies have released public details on two vulnerabilities affecting Dongguan Diqee 360 smart vacuum cleaners.

The two vulnerabilities allow an attacker to run malicious code on a device with superuser privileges and effectively take over the vacuum.

“Like any other IoT device, these robot vacuum cleaners could be marshaled into a botnet for DDoS attacks,” said Leigh-Anne Galloway, Cyber Security Resilience lead at Positive Technologies.

“But that’s not even the worst-case scenario, at least for owners,” she adds. “Since the vacuum has Wi-Fi, a webcam with night vision, and smartphone-controlled navigation, an attacker could secretly spy on the owner.”

Technical details published today

The two vulnerabilities are CVE-2018-10987 and CVE-2018-10988. The first one can be exploited remotely, while the second needs physical access to the device.

The first bug can only be exploited by an authenticated attacker, but Positive Technologies says all Diqee 360 devices come with a default password of 888888 for the admin account, which very few users change, and which attackers can incorporate into their exploit chain.

An authenticated attacker can send a specially crafted UDP packet, and execute commands on the vacuum cleaner as root. The bug is in the function REQUEST_SET_WIFIPASSWD (UDP command 153). A crafted UDP packet runs “/mnt/skyeye/ %s” with an attacker controlling the %s variable.

The second vulnerability, the one which requires physical access, can be exploited to replace the device’s firmware with a malicious version and requires only inserting a…