On the 2nd, the Korea Internet & Security Agency (KISA) and the Korea Consumer Agency (KCA) reported that a review of six robot vacuum models currently on sale revealed serious security vulnerabilities, including some Chinese-made products that had internal home photos leaked externally or cameras being remotely activated. There is a potential for malicious file transmission, necessitating caution from consumers.
A robot vacuum is an Internet of Things (IoT) device that connects to external servers using cameras and sensors. Although usage is increasing due to convenience and efficiency, if security is weak, personal information can be leaked externally.
The products reviewed this time were from six brands: Narwal, Dreame, Roborock, Samsung Electronics, Ecovacs, and LG Electronics. KISA and the Korea Consumer Agency (KCA) inspected a total of 40 items, including mobile app security, security update policies, personal information management, and hardware, network, and firmware.
The mobile app security inspection identified vulnerabilities in the Narwal, Dreame, and Ecovacs products. These products had inadequate authentication procedures, allowing for potential unauthorized access or manipulation, and in fact, internal home photos could be exposed or camera functions could be forcibly activated. The Ecovacs products also showed the potential for malicious file transmission.
In the policy management inspection, the personal information management of the Dreame products was insufficient, raising the possibility of name and contact information being exposed, while the device security check rated the security levels of the Dreame and Ecovacs products as low.
In contrast, no specific vulnerabilities were found in the Roborock products, and the products from Samsung Electronics and LG Electronics received high overall evaluations for their access management, functions to prevent unauthorized manipulation, secure password policies, and update policies.
KISA and the Korea Consumer Agency (KCA) recommended security enhancements to all businesses, and the companies responded with improvement plans. The two agencies plan to continue security inspections of IoT products and collaborate with the Ministry of Science and ICT for policy and technical support.