A significant security vulnerability has been identified in Shark’s RV2320EDUS robot vacuum cleaners, potentially allowing unauthorized remote control over other Shark vacuums within the same AWS region. This flaw enables attackers to access live camera feeds, manipulate device movements, retrieve home mapping data, and extract Wi-Fi credentials in plaintext.
The issue arises from an improperly scoped certificate policy. By extracting the certificate from a Shark RV2320EDUS device, an attacker can authenticate with Shark’s cloud broker and issue commands to any device within the same AWS region. This is facilitated by the device shadow feature in AWS IoT, which maintains the state of each device. The vulnerability allows the execution of arbitrary commands through the ‘Exec_Command’ field in the device shadow, processed by the ‘appd’ management daemon.
Exploiting this flaw involves physical access to the vacuum to retrieve the certificate. The device’s mainboard exposes UART pins, and the U-Boot console does not require a password, allowing access to the root shell where the certificate resides. Once obtained, the certificate can be used to subscribe to all device topics within the AWS region, enabling the attacker to monitor traffic and issue commands to other devices.
Notably, the vulnerability is limited by AWS region; a certificate from one region cannot control devices in another. However, if similar certificate policies exist across regions, the risk extends globally. AWS provides an audit check, ‘IOT_POLICY_OVERLY_PERMISSIVE_CHECK,’ to identify such overly permissive policies, rating them as critical due to the potential for unauthorized access and control.
While newer Shark models, such as the AV1102ARUS, have correctly scoped certificates preventing wildcard subscriptions, they remain susceptible to command execution if targeted by an attacker using a compromised certificate from a vulnerable device. This indicates that the provisioning fix for certificate policies may not have been applied retroactively to older devices.
In a 24-hour observation period within a single AWS region, 1,517,605 unique Shark serial numbers were detected, with 673,816 (approximately 44%) responding to ‘Exec_Response’ commands, confirming their vulnerability to this exploit.
SharkNinja, the manufacturer, was informed of this issue in March but has yet to release a patch. Users are advised to monitor for firmware updates and consider restricting internet access to their devices until a fix is available.
This vulnerability underscores the critical importance of secure certificate management and proper scoping in IoT devices. Manufacturers must ensure that device certificates are appropriately restricted to prevent unauthorized access and control. Users should remain vigilant, apply security updates promptly, and consider network segmentation to protect IoT devices from potential exploits.