CVE-2024-52331

ECOVACS lawnmowers and vacuums deterministic firmware encryption key

CVSS 7.7 HIGHEPSS 0.2%CWE-1391 CWE-327 CWE-494

ECOVACS robot lawnmowers and vacuums use a deterministic symmetric key to decrypt firmware updates. An attacker can create and encrypt malicious firmware that will be successfully decrypted and installed by the robot.

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Productos afectados

ECOVACS · Unspecified robots

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.html