Unpatched Security Flaws Open Connected Vacuum to Takeover

2020-02-26 14:00

SAN FRANCISCO - Researchers have discovered several high-severity vulnerabilities in a connected vacuum cleaner.

The security holes could give remote attackers the capability to launch an array of attacks - from a denial of service attack that renders the vacuum unusable, to viewing private home footage through the vacuum's embedded camera.

Once they use this attack to obtain the vacuum client ID, attackers can then connect to the MQTT servers using the ID - allowing them to take full control of the vacuum.

After taking control of the vacuum, attackers can then carry out an array of attacks, including viewing the video feed on the vacuum, as well as crashing the vacuum cleaner.

"While the privacy issues with Trifo devices are clearly concerning, the bigger topic that needs to be addressed revolves around bringing connected devices into our personal, private environments - especially ones embedded with cameras and microphones. As we continue to prioritize convenience in our day-to-day lives via devices like this smart vacuum, consumers must recognize, understand, and address as best as possible the corresponding security risks. The device manufacturers themselves must also place a higher emphasis on the security of today's consumer-facing devices," Yalon told Threatpost.

News URL

https://threatpost.com/unpatched-security-flaws-open-connected-vacuum-to-takeover/153142/

#takeover #security