Smart robotic vacuums are hot in the consumer market right now, as they offer an unprecedented level of convenience and a new premise of "auto-cleaning". With every smart device that enters our home though, so does a set of possible privacy and security flaws that can potentially expose our lives and our data to others. Researchers at Checkmarx investigated the field by testing a collection of smart vacuum products and their accompanying applications. Their findings indicate that the owners of these smart vacuum products should be aware of the risks that come with their deployment.
The team focused particularly on Trifo’s Ironpie M6 smart vacuum cleaner, as that one features a video camera. Trifo says the camera is there to enable the product to serve as a security system when needed. So, besides the cleaning of dirt, dust, and crumbs, Ironpie is also capable of detecting any intruders and alerting its masters. For the control of the vacuuming as well as the streaming of the video feed, Ironpie needs to connect to the WiFi, and this is where the problems begin. After analyzing the full spectrum of its operation, Checkmarx found two medium and four high severity vulnerabilities that could enable attackers to send fake updates, access unencrypted data, access the video feed or launch denial of service attacks.
The “Trifo Home” app itself comes with a set of flaws that open the door to potential exploitation. First, it obliges the user to install it from outside the Play Store, so it presupposes the activation of insecure sources on the device. Secondly, it doesn’t validate the software update packs and uses an HTTP request to query the Trifo server for a new APK. And then there’s the vacuum which connects to the MQTT servers without encryption, exposing the client ID to anyone who could be listening. Monitoring the traffic is also possible as the MAC address is easily guessable, while the impersonation of the MQTT server and the full take over of the device should be easy for a skilled hacker.
Checkmarx has informed Trifo about the security flaws that plague its product since December 16, 2019. However, the manufacturer hasn’t responded, has not pushed any fixes to the app, and hasn’t released any security advisories. Thus, the researchers couldn’t disclose the technical details of the exploits just yet. What they did release was a video demonstrating their ability to tap into the video feed of the Ironpie M6.