Vacuums in the Cloud: Analyzing Security in a Hardened IoT Ecosystem

Authors: 

Fabian Ullrich, Jiska Classen, Johannes Eger, and Matthias Hollick, Secure Mobile Networking Lab, TU Darmstadt, Germany

Abstract: 

With the advent of robot vacuum cleaners, mobile sensing platforms entered millions of homes. These gadgets not only put "eyes and ears" into formerly private spaces, but also communicate gathered information into the cloud. Furthermore, they reside inside the customer's local network. Hence, they are a prime target for attacks and if compromised become a privacy and security nightmare. Vendors are aware of robots being a target of interest; they employ various security mechanisms against tampering with devices and recorded data in the cloud.

In this paper, the Neato BotVac Connected and Vorwerk Kobold VR300 ecosystems are analyzed and the robot firmware is reverse engineered. To achieve the latter, a technique to bypass the devices' secure boot process is presented revealing the firmware, which is then dissected to evaluate device-specific secret key generation and to trace vulnerabilities. We present flaws in the secret key generation and provide insight on the occurrence and exploitation of a buffer overflow, which give an attacker complete control not only in the local network but also via the robots' cloud interface. Eventually, multiple attacks based on the findings are described and security implications are discussed. We shared our findings with the vendors, who further increased their otherwise commendable security mechanisms, and hope more vendors can take away valuable lessons from this highly complex Internet of Things (IoT) ecosystem.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {238606,
author = {Fabian Ullrich and Jiska Classen and Johannes Eger and Matthias Hollick},
title = {Vacuums in the Cloud: Analyzing Security in a Hardened {IoT} Ecosystem},
booktitle = {13th USENIX Workshop on Offensive Technologies (WOOT 19)},
year = {2019},
address = {Santa Clara, CA},
url = {https://www.usenix.org/conference/woot19/presentation/ullrich},
publisher = {USENIX Association},
month = aug
}