← All stories
● Covered by 1 source Β· 1 reportHigh impact

Unpatched Shark Vacuum Flaw Allows Control of Nearby Devices

Aggregated by BrevFeed security Β· updated 1h ago
πŸ”– Save

A researcher disclosed a vulnerability in Shark robot vacuums that can let attackers control devices across an AWS region. The flaw, which has been known to SharkNinja since March, involves unprotected device certificates, allowing unauthorized command execution.

Key points

Vulnerability Overview

The flaw in Shark RV2320EDUS robot vacuums enables attackers to execute root commands on other Shark vacuums within the same AWS region. A researcher, known as tokay0, demonstrated the vulnerability by extracting the device's certificate and using it to control other devices, including retrieving sensitive data such as Wi-Fi passwords.

Technical Details

The vulnerability arises from a poorly scoped policy attached to the certificate, which lets attackers publish commands to devices without proper authentication. By utilizing a command 'Exec_Command' in the device's shadow document, attackers can execute arbitrary commands on compromised devices. This was evidenced when the researcher achieved a reverse shell on a different vacuum model and accessed its live camera feed.

Company Response and Implications

SharkNinja has known about the flaw since March but has yet to release a patch. The persistence of this vulnerability poses a significant security risk, showing that AWS’s IoT audit checks are not preventing the exploitation of overly permissive device policies.

Broader Industry Impact

This incident underscores the importance of secure device management in consumer products, especially those connected to home networks. It raises alerts about the possible consequences of insufficient security measures in IoT devices, which could deter consumer trust and provoke regulatory scrutiny.

✨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors β€” check the original sources. How BrevFeed works β†’

Reporting from

A researcher disclosed a vulnerability in Shark robot vacuums that can let attackers control devices across an AWS region. The flaw, which has been known to SharkNinja since March, involves unprotected device certificates, allowing unauthorized command execution.