Clavister Blog Staff

IoT security sucks: more vulnerabilities found in robot vacuum cleaners

In Blog post by Clavister Blog Staff

Researchers have recently discovered vulnerabilities in the Dongguan Diquee 360 robotic vacuum. The Chinese manufactured cleaner is designed to improve home security while it cleans your floors, using its built-in camera to take photos of users’ homes and sending them notifications if it should spot anything sinister while they are out. But the connected vacuum could be sucking up more than just your dust.

Rather than improving home security, the device could leave users at risk of home invasion. Since it has WiFi, a camera with night vision capability and can be controlled with a smartphone, it could subject the user to remote surveillance. It could also be recruited into a botnet for DDoS attacks, like any insecure IoT device.

Connected devices have been historically prone to hacking. The Diquee is not the only connected vacuum cleaner to be vulnerable to cyber criminals—some LG models offered the same functionality and could fall prey to similar issues. Last year, vulnerabilities were discovered in CloudPets smart toys that enabled hackers to spy on children through cuddly cats, unicorns and bears.

But the problem extends far beyond the home. Businesses are already vulnerable to attacks made through IoT devices. Of course, botnet attacks that harness IoT devices to bring down web services are another serious concern which we have discussed in previous blogs.

Forbes predicts that  by 2025, we’ll have over 80 billion smart devices on the internet. These will include gadgets relied upon for work, health and personal safety. Our cities will be increasingly connected, and IoT devices will facilitate much of what we do. Meanwhile, if security continues to be less than paramount for device manufacturers and users, we will open ourselves up to issues far more sinister than snooping.

IoT devices already pose a security risk to businesses. This year, a London casino lost their high rollers’ database to hackers through an IoT thermometer in the casino’s fish tank. Organisations with a narrow view of their threat surface may already be overlooking the problem. After all, if they consider their environment to consist only of their on premise and cloud networks, they are leaving many stones unturned.

This is compounded by the issue that security hasn’t been the top priority for IoT device manufacturers. The concept emerged for convenience – easy wireless access and enhanced functionality were key drivers for the first connected devices, and that continues to be the case. But with the damage that can be caused by data breaches and botnet driven DDoS attacks, it’s clear that security should come first.

While laws and regulations have been planned to mandate additional security in connected devices, this latest expose is a stark reminder that they aren’t coming soon enough. The US has been planning to legislate this change since 2017. In the EU, discussions on what legislation should include are ongoing, and in the UK, measures are being planned as part of an ongoing, 5-year security initiative.

Until these changes are mandated, it’s worth remembering that IoT devices are already part of your organisation’s (and home network’s) threat surface and must be considered as such. They should be assessed as soon as they are brought into the network, access should be carefully managed to eliminate weak default usernames and passwords, and they should be kept segregated from other network devices.  In the meantime, we welcome further research that exposes their vulnerabilities before they are exploited by cyber criminals.