Ecovacs Deebot T10 Wi-Fi Credential Transmission Vulnerability

A vulnerability exists in the Ecovacs Deebot T10 robotic vacuum cleaner running version 1.7.2. During the pairing process, the Ecovacs iOS app version 3.0 transmits Wi-Fi credentials in cleartext. The vacuum creates an open Wi-Fi network, and the app sends the user's home Wi-Fi password to the device over unencrypted HTTP via the endpoint '/rcp.do' using a POST request. This information disclosure can be exploited by nearby attackers listening to open Wi-Fi channels.

Impact

Exploitation of this vulnerability allows for information disclosure, specifically the user's Wi-Fi credentials.

Reproduction

To reproduce this vulnerability, connect the Ecovacs Deebot T10 to the Ecovacs iOS app. During the pairing process, the vacuum will create an open Wi-Fi network. Once connected, the app will send the user's Wi-Fi password to the vacuum over cleartext HTTP via the '/rcp.do' endpoint.

Remediation

Ecovacs has stated that the vulnerability has been addressed through a server-side update in March 2025, and the iOS app will be updated in May 2025.