Tomcat
Professional
- Messages
- 2,695
- Reaction score
- 1,072
- Points
- 113
Specialists of the Israeli company Checkmarx have discovered vulnerabilities in Trifo Ironpie M6 smart vacuum cleaners that allow unauthorized persons to gain remote access to them.
Ironpie M6 vacuum cleaners connect to the Internet via Wi-Fi. Users can control them remotely using the Android app and monitor the cleaning process through the built-in camera. The entire system is backed up by the end server. However, despite its convenience, the Ironpie M6 poses a threat to user privacy.
The ability to turn on the camera remotely via the Internet attracted the attention of Checkmarx specialists. During the research, they discovered vulnerabilities and errors in the code. Trifo Home's Android app has proven to be "predominantly secure," with the exception of one update mechanism. The application receives updates not in the standard way through the Google Play Store, but through an HTTP request to the server. An attacker can easily track down and spoof the request so that the application receives a malicious update.
There have also been problems with the connection between the vacuum cleaner, the server and the app. As it turns out, the Ironpie M6 connects to MQTT servers using an unencrypted connection, which only becomes encrypted when connected. This encryption gap allows attackers to calculate the ID of any client on the system, allowing them to gain control of the vacuum cleaner. In this case, an attacker can gain access to the vacuum cleaner's camera and monitor what is happening in the victim's house.
Having discovered the vulnerabilities, the researchers immediately notified the manufacturer about them, but Trifo ignored the message.
