Unpatched Shark vacuum flaw lets attackers control millions of devices remotely

A certificate flaw in Shark robot vacuums allows attackers to command any device in the same AWS region, accessing cameras and home Wi-Fi networks.

CSBadmin
1 Min Read

A researcher has disclosed an unpatched vulnerability in Shark robot vacuums that allows attackers to take full control of other customers devices across the same Amazon Web Services region. By physically extracting a certificate from a Shark RV2320EDUS vacuum flash storage, an attacker can issue root commands to any Shark device sharing the same AWS IoT broker.

Researcher tokay0 published the findings Monday after reporting the flaw to SharkNinja in March. The policy attached to that certificate was never scoped to the device holding it. Present it to Shark cloud broker, and the broker accepts whatever you publish, addressed to any device it serves.

No memory corruption, privilege escalation, or password guessing is required. The vulnerability is purely a misconfigured AWS IoT policy. Once connected, an attacker can watch the vacuum camera, drive the robot, read floor maps of the home, and extract Wi-Fi passwords in plaintext.

Monitoring a single AWS region for 24 hours, the researcher counted 1,517,605 unique Shark serial numbers, of which 673,816 (44%) emitted responses confirming they run the command handler. The fix is entirely server-side. SharkNinja simply needs to replace the overly permissive IoT policy in its AWS account.

CSBadmin

The latest in cybersecurity news and updates.

Share This Article
Follow:
The latest in cybersecurity news and updates.