CNET también está disponible en español.

Ir a español

Don't show this again

Coronavirus stimulus check Half-Life: Alyx VR gear Coronavirus updates Best soundbars iPad Pro review Zoom tips

Hackers can peep through this smart vacuum's camera, research shows

Disconnect the security camera on the Trifo Ironpie if you want to be safe.

Listen
- 03:20
trifo-ironpie-m6

The Trifo Ironpie has a built-in camera. Security researchers revealed Wedneday that vulnerabilities in the device could let hackers access the video stream remotely, among other things.

Trifo

The Trifo Ironpie robot vacuum is designed to do double duty. The fans on the swiveling disc hoover your house, while the camera mounted on it acts as an ankle-high security device. The idea is to stay tidy while staying safe.

There's just one problem, according to cybersecurity firm Checkmarx. The internet-connected Ironpie has multiple security vulnerabilities

The flaws, which Checkmarx detailed as tens of thousands of cybersecurity experts gathered in San Francisco for the annual RSA Conference, vary in severity. One of the worst would allow remote attackers to access users' video streams by accessing Trifo's servers. Another would let hackers send a fake software update to the vacuum's app, tricking users into downloading malicious software.

If hackers got close enough to get on a user's Wi-Fi network, they could send control instructions to the device. The Ironpie data traveling along the network is also unencrypted, which means the software is missing a fundamental security protection. Finally, hackers could access the map Ironpie makes of an owner's house, which would provide information about how big it is or how many rooms it has.

In an email, a Trifo spokesperson said the company takes the privacy and security of user data seriously.

"We appreciate CNET and Checkmarx bringing this to our attention," the spokesperson said. "We are taking a close look at it and will apply security patches if needed."

Because the flaws aren't fixed, Checkmarx is holding back technical details that could let attackers exploit the vulnerabilities.

The problems in Ironpie highlight a broader issue in the world of connected devices, which is often called the internet of things. People are bringing more and more devices with cameras and mics into their homes without understanding whether the software that powers them is secure. That's led to connected devices, including children's toys, being taken over. More than two dozen talks and presentations prepared for RSA focus on securing the internet of things.

"Every new connected device can open users to a host of security issues," said Erez Yalon, who contributed to Checkmarx's research. 

Exposed video streams are a major problem with internet-connected devices. They're easy to find in search engines that index internet-connected devices. Even streams that are seemingly protected by passwords are often unsafe because default passwords, such as "admin," are easy to guess. Hackers can also access video streams when consumers reuse passwords that were exposed in old data breaches. That's what happened to Ring users in December.

In a demonstration video, Checkmarx shows its researchers accessing the video streams. From their office in Israel, the researchers accessed the video stream of an Ironpie owned by a co-worker in Portugal.

Trifo, which was previously called PerceptIn and is based in California, competes in a market currently dominated by iRobot's Roomba. The company, which recently raised $15 million in funding, unveiled a new model, called Lucy, at the CES trade show in January.

Yalon said Ironpie users can secure their vacuums by disconnecting them from Wi-Fi. That means the app won't work anymore, so customers can also opt to cover the camera, he said.

Yalon said manufacturers rush to get a product to market without understanding the importance of security. That's why so many products with vulnerabilities reach stores. More pressure from consumers would help, he said.

"We have short memories," Yalon said, "and we don't punish those who don't care about security."

Originally published Feb. 26.
Update, Feb. 28: Adds comment from Trifo.