Researchers at Checkmarx investigated the Ironpie M6 smart vacuum cleaner by Trifo, which connects to the internet via WiFi and can be controlled remotely for vacuuming, as well as remote video stream viewing. In their marketing material, Trifo claims of the vacuum: "I keep your home safe from dirt, dust, crumbs, sand and more; and also use my advanced vision system to keep intruders out. I am always alert and never sleep on the job.”
However, Checkmarx found a number of significant vulnerabilities and bad coding practices. "The security concerns of connecting video cameras to the internet should be obvious, and that was one of the motivators behind this research," the company said in a blog post.
This 3-in-1(mopping, vacuuming, sweeping) robot vacuum monitors your home against unwanted intruders. You're an #Ironpie #m6+ away from home cleanness and security#Trifo #m6plus #robotvacuum #vacuumcleaner #homesweethome #homegoal #cleaninghacks #homestyle pic.twitter.com/sRYSnANInu
— Trifo (@TrifoRobotics) September 2, 2019
There are three main components to the Ironpie: the vacuum, the Android mobile phone app, and the backend servers which support the system. Checkmarx found vulnerabilities in a few of these areas.
The app used to work the vacuum remotely, called Trifo Home, is "mostly secure," the researchers found, except for one significant process: the update procedure. Here, the team found that the app updates in a non-standard way. Instead of updating via the Google Play Store, it uses an HTTP request to query the update server.
"An attacker can monitor and easily change the request in transit and force the application to update itself to a malicious version - controlled by an attacker," Checkmarx noted.
Weaknesses were also identified in the programming which connects the vacuum to the servers and the app, as the Ironpie connects to the MQTT servers using an unencrypted connection, only becoming encrypted when it connects. This encryption gap allows hackers to calculate any client ID in the system, which can then be used to hack into the system, or to take control of any vacuum on the system.
This weakness opens up consumers to the possibility that the video feed on their vacuum could be accessed remotely, allowing hackers a view inside their home.
"Hackers can easily get video recordings, map the home location, and obtain the home mapping data performed by the robot. In the office the vacuum cleaner can be used to get photos and videos of the location and map of the room," Checkmarx said in a statement.
The researchers contacted Trifo of their findings as soon as the vulnerabilities were identified, they said, but had not received a response from the company.
"As far as the Checkmarx Research Team knows, the vulnerabilities still exist in the Trifo Ironpie ecosystem," the company said. Consquently they have not released a detailed report on their findings, although they have said they will do so once the vulnerabilities are patched.
While acknowledging that consumers have a tendency to opt for convenience over security, the researchers noted that the weaknesses by Trifo represent "profound misguidance regarding a serious security stance on a self-proclaimed security product."
Erez Yalon, head of security research at Checkmarx commented: "This type of research activity is part of Checkmarx ongoing efforts to drive the necessary changes in software security practices among vendors that manufacture consumer-based IoT devices, while bringing more security awareness amid the consumers who purchase and use them. Protecting the privacy of consumers and organizations must be a priority for all of us in today’s increasingly connected world."