Published: 05/07/2018 Updated: 03/10/2019

CVSS v2 Base Score: 8.5 | Impact Score: 10 | Exploitability Score: 6.8

CVSS v3 Base Score: 7.5 | Impact Score: 5.9 | Exploitability Score: 1.6

VMScore: 756

Vector: AV:N/AC:M/Au:S/C:C/I:C/A:C

An issue exists on Dongguan Diqee Diqee360 devices. The affected vacuum cleaner suffers from an authenticated remote code execution vulnerability. An authenticated attacker can send a specially crafted UDP packet, and execute commands on the vacuum cleaner as root. The bug is in the function REQUEST_SET_WIFIPASSWD (UDP command 153). A crafted UDP packet runs "/mnt/skyeye/mode_switch.sh %s" with an attacker controlling the %s variable. In some cases, authentication can be achieved with the default password of 888888 for the admin account.

Vulnerable Product	Search on Vulmon	Subscribe to Product
diqee diqee360_firmware -

Doctor, doctor, I feel like my IoT-enabled vacuum cleaner is spying on me

The Register • John Leyden • 20 Jul 2018

Snooping on the built-in cam? Remotely controlling it? Well, that sucks *ba-dum tsh* Smart? Don't ThinQ so! Hacked robo-vacuum could spy on your home

Vulnerabilities in a range of robot vacuum cleaners allow miscreants to access the gadgets' camera, and remote-control the gizmos. Security researchers at Positive Technologies (PT) this week disclosed that Dongguan Diqee 360 smart vacuum cleaners contain security flaws that hackers can exploit to snoop on people through the night-vision camera and mic, and take control of the Roomba rip-off. Think of it as a handy little spy-on-wheels. The security issues, discovered by PT's Leonid Krolle and G...

CVE-2018-10987

Vulnerability Summary

Vulnerability Trend

Recent Articles

References

Vulmon Search

About

Products

Connect