ECOVACS DEEBOT Vacuum and Base Station Hard-Coded AES Encryption Vulnerability

A vulnerability exists in ECOVACS DEEBOT robot vacuums and base stations due to the use of a hard-coded AES encryption key in Wi-Fi communications. This key can be easily derived from the device's serial number, leading to potential unauthorized access. The vulnerability allows for the interception of communications and the possibility of sending malicious updates to the devices. This issue affects several models in the DEEBOT X1 and T series, with specific version vulnerabilities noted.

Impact

Exploitation of this vulnerability could allow an attacker to intercept communications between the robot and its base station, potentially leading to unauthorized control of the device or execution of malicious code.

Remediation

ECOVACS has released software updates for all affected devices. Users can perform the system update to address this vulnerability. For more information, see the ECOVACS security advisory.