ECOVACS Products Missing TLS Certificate Validation Vulnerability

A vulnerability exists in certain ECOVACS lawnmowers and vacuum models due to improper validation of TLS certificates. This flaw allows an unauthenticated attacker to intercept and potentially alter TLS traffic, including firmware updates. Affected products include the X1, X5, and T10 series, among others. The issue has been addressed in version 3.0.0 of the ECOVACS HOME app and various firmware updates, depending on the specific device model.

Impact

Exploitation of this vulnerability could lead to unauthorized interception and modification of TLS-encrypted communications, including the potential alteration of firmware updates.

Remediation

Users can update to the latest version of the ECOVACS HOME app through the App Store or Google Play Store. For firmware updates, devices that support automatic updates will receive system update notifications. The latest firmware versions can also be manually installed for certain models.