The Hacker News reports that a critical vulnerability has been discovered in Shark robot vacuums, potentially allowing attackers to gain root access and control other devices in the same AWS region.A researcher, known as tokay0, detailed how a flawed policy attached to a certificate on Shark RV2320EDUS robot vacuums enables attackers to execute root commands on other Shark vacuums. By extracting a certificate from a vacuum, an attacker can bypass security measures and send commands to any device served by Shark's cloud broker. This allows for actions such as accessing the vacuum's camera feed, controlling its movement, reading house maps, and stealing Wi-Fi passwords.The vulnerability stems from a policy that is not scoped to the specific device, a known critical issue flagged by AWS IoT Device Defender. Despite the researcher reporting the flaw to SharkNinja in March, the company has not yet released a patch, leaving millions of devices potentially exposed. The fix is server-side and does not require a firmware update, but until it is implemented, the only mitigation for users is to disconnect their vacuums from Wi-Fi.Source: The Hacker News
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds




