A critical security flaw has been identified in Shark’s RV2320EDUS robot vacuums, potentially allowing attackers to control other vacuums within the same AWS region. This vulnerability could let hackers access the device’s camera, navigate the robot, and expose Wi-Fi credentials.
Researcher Uncovers Major Flaw
Security researcher tokay0 recently disclosed a method to exploit this flaw, testing it on vacuums he purchased. Despite notifying SharkNinja, the parent company, in March, the issue remains unpatched. The flaw stems from an overly permissive certificate policy that fails to restrict device-specific access on Shark’s cloud services.
The lack of proper scoping in the policy allows any certificate from a Shark vacuum to interact with others, highlighting a critical oversight in device security measures. The misuse of AWS’s IoT policies exacerbates the vulnerability, potentially affecting numerous devices.
Exploiting the Security Weakness
Tokay0 demonstrated the flaw by using an existing certificate to monitor network traffic and execute commands on other devices. By subscribing to certain AWS topics, he was able to gather serial numbers and issue commands, exploiting a field in the device shadow.
The researcher highlighted how the vulnerability allows attackers to gain root access without the need for memory corruption or privilege escalation. This ease of exploitation poses a severe risk to the affected devices, making them vulnerable to unauthorized control.
Response and Mitigation
Despite the severity, SharkNinja has not yet issued a patch or public statement addressing the vulnerability. The company’s current policy suggests regular updates for unresolved vulnerabilities, yet this flaw remains unaddressed months after initial disclosure.
For now, the only viable mitigation for users is disconnecting affected devices from Wi-Fi, which disables app functionalities. Until a server-side fix is implemented by SharkNinja, the risk persists, leaving users with limited options to secure their devices.
Tokay0 has refrained from releasing exploit scripts to allow time for a fix. However, the lack of communication from both SharkNinja and MITRE regarding a CVE identifier reflects a significant gap in the vulnerability management and response process.
Looking Ahead
The discovery of this flaw underscores the importance of robust security measures in IoT devices. It highlights the need for manufacturers to rigorously audit their systems and respond swiftly to vulnerabilities. Until a comprehensive fix is provided, the risk to Shark vacuum owners remains substantial.
As the industry grapples with the challenge of securing connected devices, continuous vigilance and proactive measures are essential to safeguarding consumer products against cyber threats.
