Smart vacuum cleaners allow hackers to know your house’s location and see you through the camera

Despite ongoing demonstrations of the limited security measures of smart devices, manufacturers still do not implement the appropriate protection mechanisms, exposing millions of users. The most recent example of this is the Trifo Ironpie smart vacuum cleaner, analyzed by vulnerability testing specialists.

According to the manufacturer, this robot vacuum cleaner was designed to perform a double task: its fans placed on a rotating disc, vacuums the user’s home, while the camera (mounted on the surface of the device) works as a security measure to prevent the robot from colliding with its environment.

While it seems like a really useful device, security firm Checkmarx vulnerability testing specialists reported finding multiple security flaws on this Internet-connected device that could be really harmful for the user.

According to the researchers, these vulnerabilities vary in severity. Of the group of reported flaws, they highlight a bug that allows threat actors to access live streams from the camera of these devices by simply accessing the Trifo servers. Another of the vulnerabilities found allows hackers to send fake software updates via the vacuum cleaner app.

Hackers can even connect to the victims’ WiFi network, so they could take control of the operation of these devices and intercept their data, which do not have encryption. As if that weren’t enough, threat actors could access the maps that the Ironpie records of the house, so they could determine its location, number of rooms, possible entrances and so on.

Vulnerability testing specialists say the company was notified since December 2019. However, the flaws remain uncorrected, so it’s still not possible to disclose technical details about their exploitation.

This is a widespread problem in the Internet of Things (IoT) device industry,” the International Institute of Cyber Security (IICS) says. In addition, the problem becomes bigger as people increasingly use this kind of devices for their routine tasks, so manufacturers must devise a reliable model for protecting these devices, as they are becoming an important attack vector.