Vacuums in the Cloud: Analyzing Security in a Hardened IoT Ecosystem

With the advent of robot vacuum cleaners, mobile sensing platforms entered millions of homes. These gadgets not only put "eyes and ears" into formerly private spaces, but also communicate gathered information into the cloud. Furthermore, they reside inside the customer's local network. Hence, they are a prime target for attacks and if compromised become a privacy and security nightmare. Vendors are aware of robots being a target of interest; they employ various security mechanisms against tampering with devices and recorded data in the cloud.

In this paper, the Neato BotVac Connected and Vorwerk Kobold VR300 ecosystems are analyzed and the robot firmware is reverse engineered. To achieve the latter, a technique to bypass the devices' secure boot process is presented revealing the firmware, which is then dissected to evaluate device-specific secret key generation and to trace vulnerabilities. We present flaws in the secret key generation and provide insight on the occurrence and exploitation of a buffer overflow, which give an attacker complete control not only in the local network but also via the robots' cloud interface. Eventually, multiple attacks based on the findings are described and security implications are discussed. We shared our findings with the vendors, who further increased their otherwise commendable security mechanisms, and hope more vendors can take away valuable lessons from this highly complex Internet of Things (IoT) ecosystem.