Vacuum Cleaning Security—Pinky and the Brain Edition

Conference:  Defcon 27



The presentation discusses the security implications of a robotic vacuum cleaner connected to two clouds and the importance of a good root of trust in IoT networks.
  • The robotic vacuum cleaner is connected to two clouds, the Beehive cloud for user accounts and the Denali cloud for studying the cleaning process.
  • The robot has a secure boot and oxide film update to prevent security breaches.
  • The secret key and RSA key are used for authentication between the robot, smartphone app, and cloud.
  • The time shift variable used in the secret key computation has a vulnerability that allows arbitrary users to read privileged process memory.
  • The presentation discovered a buffer overflow vulnerability in the astral binary connected to the nuclear cloud that allows unauthenticated remote code execution.
  • The security implications of IoT networks require a good root of trust and consideration of the trusted components.
  • Developers should test the root of trust and ensure that detecting one component does not harm the security of others.
The presentation discovered that the time shift variable used in the secret key computation had a vulnerability that allowed arbitrary users to read privileged process memory. This vulnerability could be exploited by invoking the 'su' process to gain privileges and read the privileged TC shadow file. The fix for this vulnerability is to validate the authentication headers in the cloud. The anecdote illustrates the importance of testing the root of trust and considering the trusted components in IoT networks.


Data collected by vacuum cleaning robot sensors is highly privacy-sensitive, as it includes details and metadata about consumers’ habits, how they live, when they work or invite friends, and more. Connected vacuum robots are not as low-budget as other IoT devices and vendors indeed invest into their security. This makes vacuum cleaning robot ecosystems interesting for further analysis to understand their security mechanisms and derive takeaways. In this talk we discuss the security of the well-protected Neato and Vorwerk ecosystems. Their robots run the proprietary QNX operating system, are locally protected with secure boot, and use various mechanisms that ensure authentication and encryption in the cloud communication. Nonetheless, we were able to bypass substantial security components and even gain unauthenticated privileged remote execution on arbitrary robots. We present how we dissected ecosystem components including a selection of vacuum robot firmwares and their cloud interactions.