The old saying, “A chain is only as strong as its weakest link”, directly applies to enterprise cybersecurity. Businesses these days often rely on dozens or even hundreds of suppliers and contractors, who, in turn, use the services and products of yet more contractors and suppliers. And when these chains involve not raw materials but complex IT products, ensuring their security becomes significantly more challenging. This fact is exploited by attackers, who compromise a link in the chain to reach its end — their main target. Accordingly, it’s essential for business leaders and the heads of IT and information security to understand the risks of supply-chain attacks in order to manage them effectively.

What is a supply-chain attack?

A supply-chain attack involves a malicious actor infiltrating an organization’s systems by compromising a trusted third-party software vendor or service provider. Types of this attack include the following:

• Compromising well-known software developed by a supplier and used by the target organization (or multiple organizations). The software is modified to perform malicious tasks for the attacker. Once the next update is installed, the software will contain undeclared functionality that allows the organization to be compromised. Well-known examples of such attacks include the compromise of the SolarWinds Orion and 3CX Last year, the to-date largest attempt at such an attack was discovered — XZ Utils. Fortunately, it was unsuccessful.
• Attackers find corporate accounts used by a service provider to work within the target organization’s systems. The attackers use these accounts to infiltrate the organization and carry out an attack. For example, the American retail giant Target was hacked through an account issued to an HVAC provider.
• Attackers compromise a cloud provider or exploit the features of a cloud provider’s infrastructure to access the targeted organization’s data. The most high-profile case last year involved the compromise of more than 150 clients of the Snowflake cloud service, leading to the data leak of hundreds of millions of users of Ticketmaster, Santander Bank, AT&T, and others. Another large-scale, big-impact attack was the hack of the authentication service provider Okta.
• Attackers exploit permissions delegated to a contractor in cloud systems, such as Office 365, to gain control over the target organization’s documents and correspondence.
• Attackers compromise specialized devices belonging to or administered by a contractor, but connected to the target organization’s network. Examples include smart-office air-conditioning systems, and video surveillance systems. For example, building automation systems became a foothold for a cyberattack on telecom providers in Pakistan.
• Attackers modify IT equipment purchased by the target organization, either by infecting pre-installed software or embedding hidden functionality into the devices’ firmware. Despite their complexity, such attacks have actually occurred in practice. Proven cases include Android device infections, and widely discussed server infections at the chip level.

All variations of this technique in the MITRE ATT&CK framework come under the name “Trusted Relationship” (T1199).

Benefits of supply-chain attacks for criminals

Supply-chain attacks offer several advantages for attackers. Firstly, compromising a supplier creates a uniquely stealthy and effective access channel — as demonstrated by the attack on SolarWinds Orion software, widely used in major U.S. corporations, and the compromise of Microsoft cloud systems, which led to email leaks from several U.S. government departments. For this reason, this type of attack is especially favored by criminals hunting for information. Secondly, the successful compromise of a single popular application or service instantly provides access to dozens, hundreds, or even thousands of organizations. Thus, this kind of attack also appeals to those motivated by financial gain, such as ransomware groups. One of the most high-profile breaches of this type was the attack on IT supplier Kaseya by the REvil group.

A tactical advantage (to criminals) of attacks exploiting trusted relationships lies in the practical consequences of this trust: the applications and IP addresses of the compromised supplier are more likely to be on allowlists, actions performed using accounts issued to the supplier are less frequently flagged as suspicious by monitoring centers, and so on.

Damage from supply-chain attacks

Contractors are usually compromised in targeted attacks carried out by highly motivated and skilled attackers. Such attackers are typically aiming to obtain either a large ransom or valuable information — and in either case, the victim will inevitably face long-term negative consequences.

These include the direct costs of investigating the incident and mitigating its impact, fines and expenses related to working with regulators, reputational damage, and potential compensation to clients. Operational disruptions caused by such attacks can also result in significant productivity losses, and threaten business continuity.

There are also cases that don’t technically qualify as supply-chain attacks — attacks on key technology providers within a specific industry — that nevertheless disrupt the supply chain. There were several examples of this in 2024 alone, the most striking being the cyberattack on Change Healthcare, a major company responsible for processing financial and insurance documents in the U.S. healthcare industry. Clients of Change Healthcare were not hacked, but while the compromised company spent a month restoring its systems, medical services in the U.S. were partially paralyzed, and it was recently revealed that confidential medical records of 100 million patients were exposed as a result of this attack. In this case, mass client dissatisfaction became a factor pressuring the company to pay the ransom.

Returning to the previously mentioned examples: Ticketmaster, which suffered a major data breach, faces several multi-billion-dollar lawsuits; criminals demanded $70 million to decrypt the data of victims of the Kaseya attack; and damage estimates from the SolarWinds attack range from $12 million per affected company to $100 billion in total.

Which teams and departments should be responsible for supply-chain-attack prevention?

While all the above may suggest that dealing with supply-chain attacks is entirely the responsibility of information security teams, in practice, minimizing these risks requires the coordinated efforts of multiple teams within the organization. Key departments that should be involved in this work include:

• Information security: responsible for implementing security measures and monitoring compliance with them, conducting vulnerability assessments, and responding to incidents.
• IT: ensures that the procedures and measures required by information security are followed when organizing contractors’ access to the organization’s infrastructure, uses monitoring tools to oversee compliance with these measures, and prevents the emergence of shadow or abandoned accounts and IT services.
• Procurement and vendor management: should work with information security and other departments to include trust and corporate information-security compliance criteria in supplier selection processes. Should also regularly check that supplier evaluations meet these criteria and ensure ongoing compliance with security standards throughout the contract period.
• Legal departments and risk management: ensure regulatory compliance and manage contractual obligations related to cybersecurity.
• Board of directors: should promote a security culture within the organization, and allocate resources for implementing the above measures.

Measures for minimizing the risk of supply-chain attacks

Organizations should take comprehensive measures to reduce the risks associated with supply-chain attacks:

• Thoroughly evaluate suppliers. It’s crucial to assess the security level of potential suppliers before beginning collaboration. This includes requesting a review of their cybersecurity policies, information about past incidents, and compliance with industry security standards. For software products and cloud services, it’s also recommended to collect data on vulnerabilities and pentests, and sometimes it’s advised to conduct dynamic application security testing (DAST).
• Implement contractual security requirements. Contracts with suppliers should include specific information security requirements, such as regular security audits, compliance with your organization’s relevant security policies, and incident notification protocols.
• Adopt preventive technological measures. The risk of serious damage from supplier compromise is significantly reduced if your organization implements security practices such as the principle of least privilege, zero trust, and mature identity management.
• Organize monitoring. We recommend using XDR or MDR solutions for real-time infrastructure monitoring and detecting anomalies in software and network traffic.
• Develop an incident response plan. It’s important to create a response plan that includes supply-chain attacks. The plan should ensure that breaches are quickly identified and contained — for example by disconnecting the supplier from company systems.
• Collaborate with suppliers on security issues. It’s vital to work closely with suppliers to improve their security measures — such collaboration strengthens mutual trust and makes mutual protection a shared priority.

Deep technological integration throughout the supply chain affords companies unique competitive advantages, but simultaneously creates systemic risks. Understanding these risks is critically important for business leaders: attacks on trusted relationships and supply chains are a growing threat, entailing significant damage. Only by implementing preventive measures across the organization and approaching partnerships with suppliers and contractors strategically can companies reduce these risks and ensure the resilience of their business.

Kaspersky official blog – ​Read More

Google Chrome and WordPress users face high-severity security threats. CyberSecurity Malaysia advises immediate updates to prevent potential exploits and safeguard data.

Overview

CyberSecurity Malaysia has recently notified users of critical vulnerabilities in two widely used software platforms: Google Chrome and the WordPress File Upload plugin. If exploited, these vulnerabilities could allow attackers to execute arbitrary code, escalate privileges, or cause disruptions.

Security updates have been issued, and users are strongly advised to apply these updates immediately to protect their systems.

This article provides an in-depth look at these vulnerabilities, their potential impacts, affected products, and recommended mitigation actions.

Google Chrome Security Update

Google has released security updates to address multiple vulnerabilities in the Chrome browser. These vulnerabilities have been categorized as high-severity risks and require immediate attention from users and administrators.

If successfully exploited, these vulnerabilities could enable attackers to:

• Execute arbitrary code on the target system.
• Escalate their privileges to gain unauthorized access.
• Cause denial-of-service (DoS) attacks on affected ChromeOS devices.

These threats underscore the importance of keeping software updated to prevent exploitation.

One of the critical vulnerabilities addressed in this update is:

• CVE-2025-0291 (High): This is a Type Confusion vulnerability in the V8 JavaScript engine. Type Confusion occurs when the program allocates or uses a resource in an unintended way, which could allow attackers to manipulate the system and execute malicious code.

Recommendations

CyberSecurity Malaysia advises all users and administrators to:

1. Review the latest Google Chrome release notes.
2. Update Chrome to the latest version without delay.
3. Regularly check for updates to ensure their browser remains secure.

WordPress File Upload Plugin Vulnerability

WordPress has issued a critical security update to address a vulnerability in its File Upload plugin. This vulnerability, if exploited, could have severe consequences for WordPress websites, particularly those using outdated versions of the plugin.

The vulnerability could allow unauthenticated attackers to:

• Execute remote code on the server.
• Read arbitrary files, potentially exposing sensitive information.
• Delete files, causing data loss and service disruptions.

With a high severity score of 9.8 on the CVSS scale, this vulnerability is categorized as critical and poses a significant threat to websites using the affected plugin.

Affected Products

• WordPress File Upload Plugin: Versions 4.24.15 and below are affected.
• Vulnerability Details:
  • CVE Identifier: CVE-2024-11613
  • Vulnerability Type: Improper Control of Code Generation (Code Injection).
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Researcher: Abrahack
  • Date of Public Disclosure: January 7, 2025

The vulnerability lies in the improper sanitization of the source parameter within the file wfu_file_downloader.php, which allows attackers to define their own directory paths. This flaw enables remote code execution, arbitrary file reading, and file deletion.

Recommendations

To protect their websites, CyberSecurity Malaysia urges WordPress users and administrators to:

1. Update the WordPress File Upload Plugin: Install version 4.25.0 or any newer patched version.
2. Regularly Monitor Plugin Updates: Ensure plugins are always up to date to prevent vulnerabilities.
3. Review the Official Wordfence Security Updates: Follow detailed guidance provided by WordPress security teams.

Patched versions can be found on the WordPress.org plugin page.

Key Takeaways

1. Act Quickly: The vulnerabilities in Google Chrome and WordPress File Upload plugin can lead to severe consequences, including unauthorized access, data breaches, and service disruptions. Immediate action is necessary to mitigate risks.
2. Stay Updated: Regularly updating software, browsers, and plugins is one of the most effective ways to defend against cyber threats.
3. Follow Trusted Sources: Always rely on credible sources such as Google, WordPress, and CyberSecurity Malaysia for updates and advisories.
4. Educate Yourself and Your Team: Awareness of such vulnerabilities and their potential impacts can help individuals and organizations build a proactive security posture.

Conclusion

Both Google and WordPress have acted swiftly to address these vulnerabilities, and now it’s up to users to ensure their systems and websites are secure. CyberSecurity Malaysia’s advisories serve as a crucial reminder of the need for consistent software updates and security monitoring.

By taking timely action, users and administrators can safeguard their digital assets and minimize the risk of exploitation.

Stay updated, stay protected!

Source:

• https://www.mycert.org.my/portal/advisory?id=MA-1233.012025
• https://www.mycert.org.my/portal/advisory?id=MA-1231.012025
• https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-file-upload/wordpress-file-upload-42415-unauthenticated-remote-code-execution-arbitrary-file-read-and-arbitrary-file-deletion
• https://chromereleases.googleblog.com/

The post CyberSecurity Malaysia Flags Major Threats in Chrome and WordPress – Are You Safe? appeared first on Cyble.

Blog – Cyble – ​Read More

As China-backed threat groups have been linked to recent attacks on telecom networks, the U.S. Treasury and other high-value targets, one issue has become increasingly clear: Good cyber hygiene could have limited damage from many of the attacks. 

Organizations have little in the way of defenses against advanced persistent threats (APTs) exploiting unknown zero-day vulnerabilities – at least until there’s an available patch – but they can make it harder for those threat actors to move laterally once inside their network. 

No incident drives that point home more than one cited by Anne Neuberger, U.S. deputy national security advisor for cyber and emerging technology, in a December 27 press briefing. 

Admin Account Had Access to 100,000 Routers 

Many of the media questions focused on China’s infiltration of U.S. telecom networks. Neuberger noted that a ninth telecom service provider has now been identified as a victim. When asked for details, she noted one startling fact about one of the breaches: 

“in one telecoms case, there was one administrator account that had access to over 100,000 routers,” Neuberger said. “So, when the Chinese compromised that account, they gained that kind of broad access across the network. That’s not meaningful cybersecurity to defend against a nation-state actor.” 

Lack of access controls gave the threat actors “broad and full access” to networks. “[W]e believe that’s why they had the capability to geolocate millions of individuals, to record phone calls at will, because they had that broad access.” 

Neuberger expressed support for an FCC effort to mandate stronger telecom network security, and said she hopes it includes network segmentation. “Even if an attacker like the Chinese government gets access to a network, they’re controlled and they’re contained,” she said. 

An FCC vote on the new telecom security rules could come on January 15. 

Other important cybersecurity practices cited by Neuberger – and included in hardening guidance from the NSA and CISA – included: 

• Improved configuration management 
• Securing the management plane 
• Better vulnerability management of networks 
• Improved information sharing on incidents and techniques 

“The Chinese, you know, were very careful about their techniques,” Neuberger said. “They erased logs. In many cases, companies were not keeping adequate logs. So, there are details likely … that we will never know regarding the scope and scale of this.” 

Treasury Hack, Ivanti Zero-Day Exploits Attributed to China 

Other recent attacks attributed to China include the U.S Treasury Department breach and an Ivanti zero-day exploit. 

The Ivanti Connect Secure, Policy Secure and ZTA Gateways vulnerabilities – CVE-2025-0282 and CVE-2025-0283 – were added to CISA’s Known Exploited Vulnerabilities catalog on January 8, and CISA also published mitigation guidance for the vulnerabilities the same day. 

In response to the growing cyber threat from China, the Biden Administration is reportedly rushing out an executive order to harden federal networks against attacks. 

Cyber Hygiene Recommendations from Cyble 

Cyber hygiene also figures prominently in Cyble’s annual threat landscape report and an accompanying podcast, which will be released next week and will be available as a free Cyble research report. 

In the podcast, Kaustubh Medhe, Cyble’s Vice President of Research and Cyber Threat Intelligence, noted that perimeter security products such as VPNs, firewalls, WAFs, and load balancers from Fortinet, Cisco, Ivanti, Palo Alto, Citrix, Ivanti, Barracuda and others are “being exploited for ransomware and data theft. 

“What’s concerning is that the patching window for enterprises continues to shrink as ransomware gangs and APT groups are quick to weaponize and exploit zero-day vulnerabilities on a mass scale months before these vulnerabilities becoming public,” Medhe said. 

He listed a number of cybersecurity lapses that commonly lead to breaches and cyberattacks: 

• Local copies of sensitive data stored on end user systems and laptops 
• Insecure file servers, network shares or cloud storage, with weak or non-existent access policies, exposed on the internet 
• Lack of secure hardening configurations on endpoints, servers and IT infrastructure 
• Lack of network segmentation, allowing lateral movement 
• Inadequate protection of API keys, access tokens and passwords in public code repositories 
• Weak or ineffective endpoint protection and anti-malware solutions, and failure to detect and prevent infostealer infections that lead to credential compromise and theft 
• Weak endpoint and network-level monitoring controls to detect and prevent high-volume data exfiltration 
• Security misconfigurations on internet-facing applications and servers and cloud infrastructure 
• Weak API security settings, inadequate authentication, lack of proper input validation, absence of rate limiting, lack of API monitoring, and weak detection controls 
• Poor security hygiene at third parties with access to sensitive data 

Conclusion 

Recent cyberattacks linked to Chinese APT groups strongly suggest that while not every cyberattack can be prevented – particularly those involving exploitation of unknown zero days – basic security practices like proper access control and permissions, network segmentation, and proper application, device and cloud configuration could go a long way toward limiting damage from attacks that do occur. 

The good news is that proper cyber hygiene often doesn’t cost anything more than the time to get it right. 

The post U.S. Telecom, Zero-Day Attacks Show Need for Cybersecurity Hygiene appeared first on Cyble.

Blog – Cyble – ​Read More

Welcome to the first edition of the Threat Source newsletter for 2025.  

Upon returning to work this week from my Lindt chocolate reindeer coma, my first task was to write this newsletter. As I stared at a blank template hoping for inspiration to suddenly strike, I did what any security professional should do at the start (and indeed any) time of year. I listened to Wendy Nather. 

Legendary Security Hall of Famer Wendy recently gave the keynote at BSides NYC and the video has just landed. The theme? “When do we get to play in easy mode?” I.e why is security still so hard? 

Wendy showed a list of the InfoSec Research Council’s “Hard Problems” list of 2005. Any of these sound familiar? 

• Global scale identity management 
• Insider threat 
• Availability of time critical systems 
• Building scalable secure systems 
• Attack attribution and situational understanding 
• Information provenance 
• Security with privacy 
• Enterprise level security metrics 

If the toughest challenges we face in 2025 are also the same challenges we were dealing with twenty years ago, what hope is there? 

Plus, if anything, security is even harder today than it was then, due to all the added complexity. Wendy also pointed out the larger ripple effect of breaches today due to supply chains, stolen credentials up for sale, and shared infrastructure. 

Jeez Hazel, way to start 2025 on a massive downer. 

However, something we can perhaps do more of this year is to go a bit easier on ourselves. Plus, if something you’ve been trying for a while isn’t working and is only leading to deeper frustrations, is it possible to come at from it a different way? 

One of Wendy’s recommendations on how to do just that uses the example of user awareness training. As she said in her keynote, it’s easy to get someone to click on a link (sorry to any bad guys reading this, but you’re not exactly carrying out rocket surgery with your phishing campaigns). 

Getting 1000 people NOT to click on a link is infinitely harder. Wendy even said that she once worked in an organization where the people who attended cybersecurity awareness training were even MORE likely to click on malicious links. The theory being that these people really wanted to help the security team, and were more than happy to respond to emails asking them to test the strength of their passwords. 

And that’s where social engineering, defender style, can come in. “People are your greatest asset, if you treat them that way.” 

I’m seeing a lot of “how to thrive in 2025!” posts right now. For anyone who isn’t ready for that, or tired of it all, I just want to say, I’m right there with you. But if you’re also feeling like it’s “new year, same problems”  perhaps there’s one thing that you can pick this year which has the potential to change that story.

Wendy’s keynote contains a bunch of insights for defenders on how to go about picking something to change or improve, from knowledge sharing, to hiring, and addressing complexity. I’m also looking forward to reading the upcoming National Academy of Science’s report on Cyber Hard Problems, of which Wendy is on the committee for. 

I’d thoroughly recommend checking out the full keynote, if only to see Wendy yielding a hammer in a moderately threatening manner.

The one big thing

Attacks in which malicious actors are deliberately installing known vulnerable drivers, only to exploit them later, is a technique referred to as Bring Your Own Vulnerable Driver (BYOVD).   

Cisco Talos recently published our research into the real-world application of the BYOVD technique. We identified three major payloads used, as well as recent activity linked to ransomware groups. 

 Why do I care?  

With the wide availability of tools exploiting vulnerable drivers, exploitation has moved from the domain of advanced threat actors into the domain of commodity threats – primarily ransomware. Malicious actors use corrupted drivers to perform a myriad of actions that help them achieve their goals, such as escalating privileges, deploying unsigned malicious code, or even terminating EDR tools. 

So now what?  

There are a few things we can do to mitigate the risks and detect potential campaigns using BYOVD technique. This could include enforcement of Extended Validation (EV) and Windows Hardware Quality Labs (WHQL) certified drivers, preventing risks associated with legacy drivers. If the blocking of all legacy drivers is not possible, employing the Windows Defender Application Control (Windows Security) drivers blocklist is recommended way to prevent the execution of known vulnerable drivers. Read more in the Talos blog. 

Top security headlines of the week   

• CISA says there is ‘no indication’ of a wider government hack beyond the treasury, following the disclosure that the department had been the target of a “major incident” in December. TechCrunch 
• FireScam Android spyware campaign fakes the Telegram Premium app and delivers information-stealing malware. Researchers say this is a prime example of the rising threat of adversaries leveraging everyday applications. Dark Reading. 
• Meduza stealer analysis: A closer look at its techniques and attack vector. Splunk Threat Research 

Can’t get enough Talos?  

• Talos Takes is now in video format! Catch up on the latest discussion, all about the major shifts and changes in ransomware since the very first iteration over 35 years ago. 

• The evolution and abuse of proxy networks – check out this piece of research by Nick Biasini and Vitor Ventura. 

Upcoming events where you can find Talos     

Cisco Live EMEA (February 9-14, 2025)  

Amsterdam, Netherlands  

Most prevalent malware files of the week

SHA 256:
9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f

VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
Typical Filename: VID001.exe
Detection Name: Simple_Custom_Detection

SHA 256:
7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5  
MD5: ff1b6bb151cf9f671c929a4cbdb64d86  

VirusTotal : https://www.virustotal.com/gui/file/7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5
Typical Filename: endpoint.query  
Claimed Product: Endpoint-Collector  
Detection Name: W32.File.MalParent  

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
MD5: 7bdbd180c081fa63ca94f9c22c457376 

VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details%C2%A0
Typical Filename: c0dwjdi6a.dll 
Claimed Product: N/A  
Detection Name: Trojan.GenericKD.33515991 

SHA 256:47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca 
MD5: 71fea034b422e4a17ebb06022532fdde 

VirusTotal:  https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca
Typical Filename: VID001.exe
Claimed Product: N/A  
Detection Name: Coinminer:MBT.26mw.in14.Talos

SHA256:873ee789a177e59e7f82d3030896b1efdebe468c2dfa02e41ef94978aadf006f 
MD5: d86808f6e519b5ce79b83b99dfb9294d  

VirusTotal: https://www.virustotal.com/gui/file/873ee789a177e59e7f82d3030896b1efdebe468c2dfa02e41ef94978aadf006f 
Typical Filename: n/a 
Claimed Product: n/a  
Detection Name: Win32.Trojan-Stealer.Petef.FPSKK8  

Cisco Talos Blog – ​Read More

Imagine: you get up in the night for a glass of water, walk across the unlit landing, when out of the darkness a voice starts yelling at you. Not nice, you’d surely agree. But that’s the new reality for owners of vulnerable robot vacuums, which can be commanded by hackers to turn from domestic servants into foul-mouthed louts. And that’s not all: hackers can also control the robot remotely and access its live camera feed.

The danger is clear and present: recently, cases of cyberhooligans hijacking vulnerable robot vacuums to prank people (and worse) have been seen in the wild. Read on for the details…

How a robot vacuum works

Let’s start with the fact that a modern robot vacuum is a full-fledged computer on wheels, usually running on Linux. It comes with a powerful multi-core ARM processor, a solid chunk of RAM, a capacious flash drive, Wi-Fi, and Bluetooth.

Today’s robot vacuum is a full-fledged computer on wheels Source

And of course, the modern robot vacuum has sensors everywhere: infrared, lidar, motion, camera (often several of each), and some models also have microphones for voice control.

The Ecovacs DEEBOT X1 has not only a camera, but an array of microphones Source

And naturally, all modern robot vacuums are permanently online and hooked up to the vendor’s cloud infrastructure. In most cases, they communicate aplenty with this cloud — uploading piles upon piles of data collected during operation.

Vulnerabilities in Ecovacs robot vacuums and lawn mowers

The first report of vulnerabilities in Ecovacs robot vacuums and lawnmowers surfaced in August 2024, when security researchers Dennis Giese (known for hacking a Xiaomi robot vacuum) and Braelynn Luedtke gave a talk at DEF CON 32 on reverse engineering and hacking Ecovacs robots.

The Ecovacs GOAT G1 can also be equipped with GPS, LTE and a long-range Bluetooth module Source

In their talk, Giese and Luedtke described several methods for hacking Ecovacs robot vacuums and the mobile app that owners use to control them. In particular, they found that a potential hacker could access the feed from the robot’s built-in camera and microphone.

This is possible for two reasons. First, if the app is used on an insecure network, attackers can intercept the authentication token and communicate with the robot. Second, although in theory the PIN code set by the device owner secures the video feed, in practice it gets verified on the app side — so it can be bypassed.

The PIN code for securing the video feed from an Ecovacs robot vacuum is verified on the app side, which makes the mechanism extremely vulnerable Source

The researchers also managed to gain root access to the robot’s operating system. They found it was possible to send a malicious payload to the robot via Bluetooth, which in some Ecovacs models gets turned on after a scheduled reboot, while in others it’s on all the time. In theory, encryption should protect against this, but Ecovacs uses a static key that’s the same for all devices.

Armed with this knowledge, an intruder can get root privileges in the operating system of any vulnerable Ecovacs robot and hack it at a distance of up to 50 meters (~165 feet) — which is precisely what the researchers did. As for robot lawnmowers, these models are hackable at more than 100 meters (~330 feet) away, since they’ve got more powerful Bluetooth capabilities.

Add to that that, as mentioned already, today’s robot vacuums are full-fledged Linux-based computers, and you can see how attackers can use one infected robot as a means to hack others nearby. In theory, hackers can even create a network-worm to automatically infect robots anywhere in the world.

Bluetooth vulnerability in Ecovacs robots could lead to a chain of infection Source

Giese and Luedtke informed Ecovacs about the vulnerabilities they found, but received no response. The company did try to close some of the holes, say the researchers, but with little success and ignoring the most serious vulnerabilities.

How the Ecovacs robot vacuums were hacked for real

It appears that the DEF CON talk generated great interest in the hacker community — so much so that someone seems to have taken the attack a step further and deployed it on Ecovacs robot vacuums out in the real world. According to recent reports, owners in several U.S. cities had been hit by hackers and made to suffer abuse from their robot servants.

In one incident in Minnesota, an Ecovacs DEEBOT X2 started moving by itself and making strange noises. Alarmed, its owner went into the Ecovacs app and saw that someone was accessing the video feed and remote-control feature. Writing it off as a software glitch, he changed the password, rebooted the robot and sat down on the couch to watch TV with his wife and son.

But the robot kicked back into life almost straight away — this time emitting a continuous stream of racial slurs from its speakers. Not knowing what to do, the owner turned off the robot, took it into the garage and left it there. Despite this ordeal, he is grateful that the hackers made their presence so obvious. Far worse, he says, would have been if they’d simply secretly monitored his family through the robot without revealing themselves.

Hijacking a live video feed of an Ecovacs robot vacuum Source

In a similar case, this time in California, another Ecovacs DEEBOT X2 chased a dog around the house, again shouting obscenities. And a third case was reported from Texas, where, you guessed it, an Ecovacs robot vacuum went walkabout and hurled abuse at its owners.

The exact number of hacks of Ecovacs robot vacuums is unknown. One reason for this, alluded to above, is that the owners may not be aware of it: the hackers may be quietly observing their daily lives through the built-in camera.

How to guard against robot vacuum hacking?

The short answer is: you can’t. Unfortunately, there’s no universal method of protecting against robot vacuum hacking that covers all bases. For some models, in theory, there’s the option of hacking it yourself, getting root access, and unlinking the machine from the vendor’s cloud. But this is a complex and time-consuming procedure that the average owner won’t consider attempting.

A serious problem with IoT devices is that many vendors, sadly, still pay insufficient attention to security. And they often prefer to bury their heads in the sand — even declining to respond to researchers who helpfully report such issues.

To reduce the risks, try do your own research on the security practices of the vendor in question before purchasing. Some actually do a pretty good job of keeping their products safe. And, of course, always install firmware updates: new versions usually remove at least some of the vulnerabilities that hackers can exploit to gain control over your robot.

And remember that a robot connected to home Wi-Fi, if hacked, can become a launchpad for an attack on other devices connected to the same network — smartphones, computers, smart TVs, and so on. So it’s always a good idea to move IoT devices (in particular, robot vacuums) to a guest network, and install reliable protection on all devices where possible.

Kaspersky official blog – ​Read More