CVE-2024-52327

ECOVACS lawnmower and vacuum cloud service live video PIN bypass

CVSS 6 MEDIUMEPSS 0.5%CWE-603 CWE-807

In short

ECOVACS robot lawnmowers and vacuums have a security flaw that lets someone who is already logged into the cloud service skip the PIN protection and watch the live video feed. This is a problem because the PIN was meant to be an extra security layer to keep your home's video private.

Technical detail

Authenticated attackers can bypass PIN verification (CWE-603: Use of Hard-Coded Password) on the ECOVACS cloud service to access live video feeds from connected devices. The vulnerability requires prior authentication to the cloud account (CWE-807: Reliance on Hard-Coded IP Address) but circumvents an additional authorization control, potentially exposing unauthorized surveillance capabilities.

Summary generated and translated by AI from the official description.

The cloud service used by ECOVACS robot lawnmowers and vacuums allows authenticated attackers to bypass the PIN entry required to access the live video feed.

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Affected products

ECOVACS · cloud service ECOVACS · ECOVACS HOME

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.pdf https://www.ecovacs.com/global/userhelp/dsa20241217002