According to its maker, Trifo, the Ironpie home surveillance robot vacuum isn’t just your dust bunnies’ worst nightmare. It also chases intruders away with its “advanced vision system”.
I am always alert and never sleep on the job.
Funny thing about that always alert thing. It’s true, the artificial intelligence (AI) -enhanced internet of things (IoT) robot vacuum can indeed be connected to the internet via Wi-Fi, can be controlled remotely for vacuuming, and can remotely stream out video showing its surroundings, given that – like other IoT gadgets – it comes equipped with a video camera.
But, likewise, it’s similar to other IoT devices in having dusty, fusty security, as was discovered by Checkmarx when its researchers decided to poke at the Ironpie’s security and privacy. Due to multiple security issues – in the nonstandard update procedure that doesn’t happen through the Google Play Store; insecure encryption in the Android app; and lack of proper authentication on the server end – that “always alert” video stream is also always up for grabs to remote attackers if they know how to take a few simple steps.
Checkmarx detailed the vulnerabilities and their repercussions at the RSA Conference in San Francisco last week. Its report is also available on its blog, here, and detailed in a YouTube video.
In the worst of the robot vacuum’s flaws, Checkmarx found that a remote attacker can intercept users’ video streams by accessing Trifo’s servers. Another flaw would let hackers send a fake software update to the vacuum’s app, tricking users into downloading malware.
Checkmarx found that a remote attacker could get at information via MQTT – a machine-to-machine (M2M), IoT connectivity protocol that bridges Trifo’s vacuum, its backend servers, and Trifo’s Home app.
Via MQTT, attackers could get at data such as the SSID of Wi-Fi network to which the vacuum is connected, plus the vacuum’s IP address, MAC address and more. With those pieces of data, an attacker can get a key that can get them remote access to the video feed of all connected, working, Ironpie vacuums, regardless of where they are.
That means, for example, that attackers could remotely access an Ironpie robot vacuum in a corporate office, record confidential conversations, and use its AI capabilities to make a map of the room, Checkmarx says. Using the same simple techniques, an attacker could also easily invade the privacy of a homeowner by spying on a room, its inhabitants and their conversations.
Checkmarx says its researchers reached out to Trifo with details about the vulnerabilities on 16 December 2019, but as of Wednesday, Trifo hadn’t responded. Given that the vulnerabilities still exist, Checkmarx held back details that could lead to exploits.
What to do
Erez Yalon, who contributed to the research, told CNET that users can protect their privacy by disconnecting their Ironpies from Wi-Fi, which will keep the app from working. Another option is to cover up the camera, Yalon said.
There’s no end to the stories about webcams being so-not-secured with default passwords, nor of being prey to hijacking because their owners reuse their passwords… which then get stolen in breaches and subsequently used in credential stuffing attacks. That, in fact, is what recently motivated first Google, with its Nest gadgets, and then Amazon, with its Ring video doorbells, to force users to use two-factor authentication (2FA).
If a website gives you the option to turn on 2FA, take them up it. It’s one way that can help to keep robot vacuums hard at work sucking up crumbs, not your privacy. As more and more IoT devices lacking good security come into people’s homes, we need all the help we can get to avoid those nifty gadgets turning into little hacked prowlers.
Here’s an informative podcast that tells you all about 2FA, if you’d like to learn more…
Beratung Consulting are dedicated to Security solutions and are a trusted Sophos Partner.