There is little doubt that today’s consumers have a tendency to choose convenience over security. When a shiny new gadget designed to make our lives easier finds its way to the consumer market, buyers often jump at the opportunity to purchase it and put it into action. Unfortunately, every new internet-connected gadget opens users up to a host of possible security issues and privacy concerns.
As part of the ongoing research performed by the Checkmarx Security Research Team, recently, they were investigating several IoT devices, including the Ironpie M6 smart vacuum cleaner by Trifo. Since the device has a video camera, the team was interested in testing the security and privacy of the vacuum.
According to Trifo, the Ironpie is “An AI-powered robot vacuum that vacuums up dirt, dust, crumbs – even sand – like no one’s business” and it claims that its “mission is to clean and protect your home, so you can do more important things. I keep your home safe from dirt, dust, crumbs, sand and more; and also use my advanced vision system to keep intruders out. I am always alert and never sleep on the job.”
The Trifo can be connected to the internet via WiFi, and be controlled remotely for vacuuming, as well as for remote video stream viewing, since it incorporates a video camera. The security concerns of connecting video cameras to the internet should be obvious, and that was one of the motivators behind this research.
As a result of research team’s investigation, several high- and medium-severity security vulnerabilities were discovered. A summary of the vulnerabilities can be seen in table below. These vulnerabilities may put Ironpie’s users at risk and should be fixed as soon as possible. A video of our team exploiting the discovered vulnerabilities can be found here.
In this research, several vulnerabilities and bad coding practices were identified. Some of them were weak security implementations with no practical use cases, while others show profound misguidance regarding a serious security stance on a self-proclaimed security product, as was the case with Trifo.
There are 3 areas of potential fault that are important to understand. Issues can be found in each component that makes the Ironpie ecosystem work:
- the vacuum itself,
- the Android mobile app,
- and its supporting backend servers.
Trifo Home Android App Insecure Update
The Trifo Android app, called Trifo Home, is mostly secure in terms of common Android programming mistakes, except for a critical procedure: the update procedure. The update is made in a non-standard way, (e.g., not via the Google Play Store.)
Since the Trifo app uses an HTTP request when the application starts to query the update server for a new APK (android package, .apk), an attacker can monitor and easily change the request in transit and force the application to update itself to a malicious version – controlled by an attacker.
MQTT Remote Access
MQTT is a machine-to-machine (M2M), IoT connectivity protocol. It was designed as an extremely lightweight publish/subscribe messaging transport. In the case of Trifo, the supporting MQTT servers are a bridge between the Trifo vacuum, the backend servers, and the Trifo Home app. The servers are used to provide and receive events from the vacuums deployed, which are then passed along to the graphical user interface (GUI) of the appropriate Trifo Home app.
Lacking a proper authentication mechanism, an attacker can connect to the MQTT servers impersonating any client ID, which are easily predictable.
MQTT Insecure Encryption
While the Android app uses MQTT over SSL, the Ironpie vacuum connects to the MQTT servers via an unencrypted connection, exchanges some packets, and after that the MQTT payload is encrypted. This basically lets an attacker to calculate any client ID. With this knowledge, it is possible for:
- A remote attacker to monitor traffic coming into the Ironpie since he can subscribe and get traffic to any MAC address, which is easily guessable. This includes the dev_key which can be used to decrypt all traffic.
- A local attacker can also impersonate the MQTT server, hence taking full control of the vacuum.
RTMP Video Feed Access
It is possible for a remote attacker to access information via MQTT, such as the SSID of the network the vacuum is connected to, obtain the internal vacuum IP address, its MAC address, and other info. With this information, an attacker can derive a key that allows them to gain access to the video feed of all connected, working, Ironpie vacuums, regardless of where they are located.
When the vulnerabilities were first discovered, our research team ensured that they could reproduce the process of exploiting them. Once that was confirmed, the Checkmarx research team responsibly notified Trifo of their findings. After multiple attempts by the Checkmarx Security Research Team to open up a line of communication with Trifo pertaining to the discovered vulnerabilities, Trifo has not responded to any of our efforts. The research team initially contacted Trifo on 16-Dec-2019 and openly shared the full report of their findings with them.
As far as the Checkmarx Research Team knows, the vulnerabilities still exist in the Trifo Ironpie ecosystem. As a result, the team is not releasing any additional technical information about the vulnerabilities at this time – to ensure Checkmarx is not putting Trifo Ironpie users at unnecessary risk. If and when Trifo patches the vulnerabilities, Checkmarx will publish a more robust technical report outlining how we were able to exploit these issues, as we believe there is great learning value within to help pave the way for safer device development.
This type of research activity is part of our ongoing efforts to drive the necessary changes in software security practices among vendors that manufacture consumer-based IoT devices, while bringing more security awareness amid the consumers who purchase and use them. Protecting the privacy of consumers and organizations must be a priority for all of us in today’s increasingly connected world.
Read more research from the Checkmarx Security Research Team here.