The world of home automation is once again rocked by a security scandal. After the cases of DJI and Ecovacs, it is the turn of the brand Shark to find themselves in the spotlight. A cybersecurity researcher, known under the pseudonym tokay0, has uncovered a massive vulnerability that potentially affects more than 670,000 devices. The problem lies not in complex malicious code, but in a simple configuration error with disastrous consequences.
How can a simple key open all doors?
The real origin of the problem does not lie in the robot vacuum cleaners themselves, but in the management of their authentication on the cloud. The researcher discovered that the digital certificate, supposed to be unique to each device, was actually configured with excessively broad rights. This certificate acts as a real all-purpose for all devices in the same AWS cloud region, a configuration error deemed ” critique » by Amazon auditing services.
To prove it, he simply disassembled his own device, accessed a debug console left without password by the manufacturer, and extracted the authentication key. Once in his possession, he was able to subscribe to the data feeds of any other vacuum cleaner and even send them remote commands, a major oversight on the part of SharkNinja.
What data are actually at risk?
The risks to privacy are immense. By exploiting this security breachan attacker can access personal data extremely sensitive. It is possible to view the video feed from the on-board camera live, transforming the device into a spy tool in the heart of the home. There complete cartography and detailed housing information is also recoverable.
Worse still, the home Wi-Fi network ID and password are often stored in plain text and become accessible. This opens a gaping hole in the cybersecurity of the home, potentially allowing other devices connected to the same network to be compromised. The researcher confirmed the extent of the problem by identifying more than 673,000 devices responding to its tests in just 24 hours in a single region.
Why is the manufacturer remaining silent?
The most worrying aspect of this affair is undoubtedly the reaction, or rather lack of reactionfrom the manufacturer. The company was informed of the vulnerability as early as March. After an acknowledgment of receipt, communication was broken, and more than four months later, no fix has not been published. No official CVE ID has been assigned, making the flaw invisible to many security tools.
This inaction raises serious questions, particularly with regard to European regulations such as the GDPR, which impose active protection of private information. While waiting for a hypothetical update, the only effective solution for users is to disconnect their vacuum cleaner from Wi-Fiwhich deprives it of most of its smart features. The correction is however simple and is located entirely server siderequiring no user intervention.
