ECOVACS robot lawnmowers and vacuums use a deterministic root password generated based on model and serial number. An attacker with shell access can login as root.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 9119a7d8-5eab-497f-8521-727c672e3725 | 7.6 | HIGH | CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H | 0.9 | 6.0 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ecovacs | deebot_x1_firmware | - |
| ecovacs | airbot_andy_firmware | - |
| ecovacs | deebot_t8_firmware | - |
| ecovacs | deebot_n9_firmware | - |
| ecovacs | deebot_n8_firmware | - |
| ecovacs | deebot_n10_firmware | - |
| ecovacs | deebot_x2_firmware | - |
| ecovacs | airbot_z1_firmware | - |
| ecovacs | airbot_ava_firmware | - |
| ecovacs | deebot_t10_firmware | - |
| ecovacs | deebot_t9_firmware | - |
| ecovacs | deebot_t20_firmware | - |
| ecovacs | goat_g1_firmware | - |
| ecovacs | deebot_900_firmware | - |
ECOVACS robot lawn mowers and vacuums use a shared, static secret key to encrypt BLE GATT messages. An unauthenticated attacker within BLE range can control any robot using the same key.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 9119a7d8-5eab-497f-8521-727c672e3725 | 6.3 | MEDIUM | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L | 2.8 | 3.4 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ecovacs | deebot_x1_firmware | - |
| ecovacs | airbot_andy_firmware | - |
| ecovacs | deebot_t8_firmware | - |
| ecovacs | deebot_n9_firmware | - |
| ecovacs | deebot_n8_firmware | - |
| ecovacs | deebot_n10_firmware | - |
| ecovacs | deebot_x2_firmware | - |
| ecovacs | airbot_z1_firmware | - |
| ecovacs | airbot_ava_firmware | - |
| ecovacs | deebot_t10_firmware | - |
| ecovacs | deebot_t9_firmware | - |
| ecovacs | deebot_t20_firmware | - |
| ecovacs | goat_g1_firmware | - |
| ecovacs | deebot_900_firmware | - |
ECOVACS robot lawnmowers store the anti-theft PIN in cleartext on the device filesystem. An attacker can steal a lawnmower, read the PIN, and reset the anti-theft mechanism.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 9119a7d8-5eab-497f-8521-727c672e3725 | 3.3 | LOW | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N | 1.8 | 1.4 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ecovacs | deebot_x1_firmware | - |
| ecovacs | airbot_andy_firmware | - |
| ecovacs | deebot_t8_firmware | - |
| ecovacs | deebot_n9_firmware | - |
| ecovacs | deebot_n8_firmware | - |
| ecovacs | deebot_n10_firmware | - |
| ecovacs | deebot_x2_firmware | - |
| ecovacs | airbot_z1_firmware | - |
| ecovacs | airbot_ava_firmware | - |
| ecovacs | deebot_t10_firmware | - |
| ecovacs | deebot_t9_firmware | - |
| ecovacs | deebot_t20_firmware | - |
| ecovacs | goat_g1_firmware | - |
| ecovacs | deebot_900_firmware | - |
ECOVACS robot lawnmowers and vacuums are vulnerable to command injection via SetNetPin() over an unauthenticated BLE connection.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 9119a7d8-5eab-497f-8521-727c672e3725 | 9.6 | CRITICAL | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H | 2.8 | 6.0 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ecovacs | deebot_x5_pro_firmware | * |
| ecovacs | gx-600_firmware | * |
| ecovacs | deebot_x2s_firmware | * |
| ecovacs | goat_g1-2000_firmware | * |
| ecovacs | deebot_x5_pro_ultra_firmware | * |
| ecovacs | deebot_x2_omni_firmware | * |
| ecovacs | deebot_t30_omni_firmware | * |
| ecovacs | goat_g1_firmware | * |
| ecovacs | deebot_x5_pro_plus_firmware | * |
| ecovacs | deebot_x2_combo_firmware | * |
| ecovacs | goat_g1-800_firmware | * |
| ecovacs | deebot_t30s_firmware | * |
The cloud service used by ECOVACS robot lawnmowers and vacuums allows authenticated attackers to bypass the PIN entry required to access the live video feed.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 9119a7d8-5eab-497f-8521-727c672e3725 | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | 2.8 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ecovacs | home | * |
ECOVACS robot lawnmowers and vacuums insecurely store audio files used to indicate that the camera is on. An attacker with access to the /data filesystem can delete or modify warning files such that users may not be aware that the camera is on.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 9119a7d8-5eab-497f-8521-727c672e3725 | 2.3 | LOW | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N | 0.8 | 1.4 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ecovacs | deebot_x1_firmware | - |
| ecovacs | airbot_andy_firmware | - |
| ecovacs | deebot_t8_firmware | - |
| ecovacs | deebot_n9_firmware | - |
| ecovacs | deebot_n8_firmware | - |
| ecovacs | deebot_n10_firmware | - |
| ecovacs | deebot_x2_firmware | - |
| ecovacs | airbot_z1_firmware | - |
| ecovacs | airbot_ava_firmware | - |
| ecovacs | deebot_t10_firmware | - |
| ecovacs | deebot_t9_firmware | - |
| ecovacs | deebot_t20_firmware | - |
| ecovacs | goat_g1_firmware | - |
| ecovacs | deebot_900_firmware | - |
ECOVACS HOME mobile app plugins for specific robots do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic and obtain authentication tokens.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 9119a7d8-5eab-497f-8521-727c672e3725 | 7.4 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N | 2.2 | 5.2 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ecovacs | home | * |
ECOVACS lawnmowers and vacuums do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic, possibly modifying firmware updates.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 9119a7d8-5eab-497f-8521-727c672e3725 | 7.4 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N | 2.2 | 5.2 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ecovacs | deebot_x5_pro_firmware | * |
| ecovacs | deebot_t10_omni_firmware | * |
| ecovacs | deebot_x2s_firmware | * |
| ecovacs | deebot_t10_turbo_firmware | * |
| ecovacs | deebot_x5_pro_ultra_firmware | * |
| ecovacs | deebot_x1e_omni_firmware | * |
| ecovacs | deebot_x2_omni_firmware | * |
| ecovacs | mate_x_firmware | * |
| ecovacs | deebot_x1_turbo_firmware | * |
| ecovacs | deebot_x1s_pro_plus_firmware | * |
| ecovacs | deebot_x1_firmware | * |
| ecovacs | deebot_x1_pro_omni_firmware | * |
| ecovacs | deebot_x5_pro_plus_firmware | * |
| ecovacs | deebot_x1s_pro_firmware | * |
| ecovacs | deebot_x2_pro_firmware | * |
| ecovacs | deebot_x2_combo_firmware | * |
| ecovacs | deebot_t10_firmware | * |
| ecovacs | deebot_x1_plus_firmware | * |
| ecovacs | deebot_t10_plus_firmware | * |
| ecovacs | deebot_x1_omni_firmware | * |
ECOVACS robot lawnmowers and vacuums use a deterministic symmetric key to decrypt firmware updates. An attacker can create and encrypt malicious firmware that will be successfully decrypted and installed by the robot.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 9119a7d8-5eab-497f-8521-727c672e3725 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H | 1.6 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ecovacs | deebot_x1_firmware | - |
| ecovacs | airbot_andy_firmware | - |
| ecovacs | deebot_t8_firmware | - |
| ecovacs | deebot_n9_firmware | - |
| ecovacs | deebot_n8_firmware | - |
| ecovacs | deebot_n10_firmware | - |
| ecovacs | deebot_x2_firmware | - |
| ecovacs | airbot_z1_firmware | - |
| ecovacs | airbot_ava_firmware | - |
| ecovacs | deebot_t10_firmware | - |
| ecovacs | deebot_t9_firmware | - |
| ecovacs | deebot_t20_firmware | - |
| ecovacs | goat_g1_firmware | - |
| ecovacs | deebot_900_firmware | - |
ECOVACS robot vacuums and base stations communicate via an insecure Wi-Fi network with a deterministic WPA2-PSK, which can be easily derived.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 9119a7d8-5eab-497f-8521-727c672e3725 | 6.3 | MEDIUM | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L | 2.8 | 3.4 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ecovacs | deebot_t10_omni_firmware | * |
| ecovacs | deebot_t20_pro_plus_firmware | * |
| ecovacs | deebot_t10_turbo_firmware | * |
| ecovacs | deebot_t20_pro_firmware | * |
| ecovacs | deebot_t30_omni_firmware | * |
| ecovacs | deebot_x1_turbo_firmware | * |
| ecovacs | deebot_x1_pro_omni_firmware | * |
| ecovacs | deebot_t20_omni_firmware | * |
| ecovacs | deebot_x1s_pro_firmware | * |
| ecovacs | deebot_t10_firmware | * |
| ecovacs | deebot_t10_plus_firmware | * |
| ecovacs | deebot_x1_omni_firmware | * |
| ecovacs | deebot_t30s_firmware | * |
ECOVACS vacuum robot base stations do not validate firmware updates, so malicious over-the-air updates can be sent to base station via insecure connection between robot and base station.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 9119a7d8-5eab-497f-8521-727c672e3725 | 7.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | 1.2 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ecovacs | deebot_t10_omni_firmware | * |
| ecovacs | deebot_t20_pro_plus_firmware | * |
| ecovacs | deebot_t10_turbo_firmware | * |
| ecovacs | deebot_t20_pro_firmware | * |
| ecovacs | deebot_t30_omni_firmware | * |
| ecovacs | deebot_x1_turbo_firmware | * |
| ecovacs | deebot_x1_pro_omni_firmware | * |
| ecovacs | deebot_t20_omni_firmware | * |
| ecovacs | deebot_x1s_pro_firmware | * |
| ecovacs | deebot_t10_firmware | * |
| ecovacs | deebot_t10_plus_firmware | * |
| ecovacs | deebot_x1_omni_firmware | * |
| ecovacs | deebot_t30s_firmware | * |
ECOVACS robot vacuums and base stations communicate via an insecure Wi-Fi network with a deterministic AES encryption key, which can be easily derived.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 9119a7d8-5eab-497f-8521-727c672e3725 | 6.3 | MEDIUM | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L | 2.8 | 3.4 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ecovacs | deebot_t10_omni_firmware | * |
| ecovacs | deebot_t20_pro_plus_firmware | * |
| ecovacs | deebot_t10_turbo_firmware | * |
| ecovacs | deebot_t20_pro_firmware | * |
| ecovacs | deebot_t30_omni_firmware | * |
| ecovacs | deebot_x1_turbo_firmware | * |
| ecovacs | deebot_x1_pro_omni_firmware | * |
| ecovacs | deebot_t20_omni_firmware | * |
| ecovacs | deebot_x1s_pro_firmware | * |
| ecovacs | deebot_t10_firmware | * |
| ecovacs | deebot_t10_plus_firmware | * |
| ecovacs | deebot_x1_omni_firmware | * |
| ecovacs | deebot_t30s_firmware | * |