There is little doubt that today’s consumers have a tendency to choose convenience over
security. When a shiny new gadget designed to make our lives easier finds its way to the consumer market, buyers often jump at the opportunity to purchase it and put it into action. Unfortunately, every new internet-connected gadget opens
users up to a host of possible
security issues and privacy concerns.
As part of the ongoing research performed by the Checkmarx
Security Research Team, recently, they were investigating several IoT devices, including the Ironpie M6 smart vacuum cleaner by Trifo. Since the device has a video camera, the team was interested in testing the
security and privacy of the vacuum.
According to Trifo, the Ironpie is “An AI-powered robot vacuum that vacuums up dirt, dust, crumbs – even sand – like no one’s business” and it claims that its “mission is to clean and protect your home, so you can do more important things. I keep your home safe from dirt, dust, crumbs, sand and more; and also use my advanced vision system to keep intruders out. I am always alert and never sleep on the job.”
The Trifo can be connected to the internet via WiFi, and be controlled remotely for vacuuming, as well as for remote video stream viewing, since it incorporates a video camera. The
security concerns of connecting video cameras to the internet should be obvious, and that was one of the motivators behind this research.
As a result of research team’s investigation, several high- and medium-severity
security vulnerabilities were discovered. A summary of the
vulnerabilities can be seen in table below. These
vulnerabilities may put Ironpie’s
users at risk and should be fixed as soon as possible. A video of our team exploiting the discovered
vulnerabilities can be found
here.
In this research,
several vulnerabilities and bad coding practices were identified. Some of them were weak
security implementations with no practical use cases, while others show profound misguidance regarding a serious
security stance on a self-proclaimed
security product, as was the case with Trifo.
There are 3 areas of potential fault that are important to understand. Issues can be found in each
component that makes the Ironpie ecosystem work:
- the vacuum itself,
- the Android mobile app,
- and its supporting backend servers.
Summary of the Issues Discovered
Trifo Home Android App Insecure Update
The Trifo
Android app, called Trifo Home, is mostly secure in terms of common
Android programming mistakes, except for a critical procedure:
the update procedure. The update is made in a non-standard way, (e.g., not via the Google Play Store.)
Since the Trifo app uses an
HTTP request when the
application starts to query the update server for a new
APK (android package,
.apk), an attacker can monitor and easily change the request in transit and force the
application to update itself to a malicious version - controlled by an attacker.
MQTT Remote Access
MQTT is a machine-to-machine (M2M), IoT connectivity protocol. It was designed as an extremely lightweight publish/subscribe messaging transport. In the case of Trifo, the supporting MQTT servers are a bridge between the Trifo vacuum, the backend servers, and the Trifo Home app. The servers are used to provide and receive events from the vacuums deployed, which are then passed along to the graphical user interface (GUI) of the appropriate Trifo Home app.
Lacking a proper authentication mechanism, an attacker can connect to the MQTT servers impersonating any client ID, which are easily predictable.
MQTT Insecure Encryption
While the
Android app uses MQTT over
SSL, the Ironpie vacuum connects to the MQTT servers via an unencrypted connection, exchanges some packets, and after that the MQTT payload is encrypted. This basically lets an attacker to calculate any client ID. With this knowledge, it is possible for:
- A remote attacker to monitor traffic coming into the Ironpie since he can subscribe and get traffic to any MAC address, which is easily guessable. This includes the dev_key which can be used to decrypt all traffic.
- A local attacker can also impersonate the MQTT server, hence taking full control of the vacuum.
RTMP Video Feed Access
It is possible for a remote attacker to access information via MQTT, such as the SSID of the network the vacuum is connected to, obtain the internal vacuum IP address, its MAC address, and other info. With this information, an attacker can derive a key that allows them to gain access to the video feed of all connected, working, Ironpie vacuums, regardless of where they are located.
Summary of Disclosure and Events
When the
vulnerabilities were first discovered, our research team ensured that they could reproduce the process of exploiting them. Once that was confirmed, the Checkmarx research team responsibly notified Trifo of their findings. After multiple attempts by the Checkmarx
Security Research Team to open up a line of communication with Trifo pertaining to the discovered
vulnerabilities, Trifo has not responded to any of our efforts. The research team initially contacted Trifo on 16-Dec-2019 and openly
shared the full report of their findings with them.
As far as the Checkmarx Research Team knows, the
vulnerabilities still exist in the Trifo Ironpie ecosystem. As a result, the team is not releasing any additional technical information about the
vulnerabilities at this time - to ensure Checkmarx is not putting Trifo Ironpie
users at unnecessary risk. If and when Trifo patches the
vulnerabilities, Checkmarx will publish a more robust technical report outlining how we were able to exploit these issues, as we believe there is great learning value within to help pave the way for safer device development.
Final Words
This type of research activity is part of our ongoing efforts to drive the necessary changes in software
security practices among vendors that manufacture consumer-based IoT devices, while bringing more
security awareness amid the consumers who purchase and use them. Protecting the privacy of consumers and organizations must be a priority for all of us in today’s increasingly connected world.
Read more research from the Checkmarx
Security Research Team
here.