During an analysis, researchers discovered numerous security issues in the Enabot Ebo Air smart robot devices. These vulnerabilities directly threaten the security of smart home systems, allowing an adversary to take over target devices.
Enabot Ebo Air Vulnerabilities
According to a recent report from Modux, their researchers analyzed the Enabot Ebo Air smart robot following Which?’s request and found two major security vulnerabilities.
Enabot’s Ebo Air is basically a smart robot offering home security services. Empowered with WiFi, camera, speakers, microphone, and wheels, this robot moves around the house, enabling the user to keep a real-time check on the home situation.
However, these functionalities also mean that any vulnerabilities, if exploited, can directly compromise the security of users’ homes.
According to the researchers, they found two critical security issues in the Ebo Air robot. First, all the robots had the same hard-coded admin credentials. That means anyone knowing these credentials could compromise any target robot upon gaining access to the target network.
Once done, the attacker could connect to the robot via SSH and take over the device. That includes getting the power to meddle with all robot functionalities, access the camera and microphone to spy on the user, download the videos and audios, and even access WiFi passwords. Exploiting the bug merely required an adversary to intercept a firmware update to access the hard-coded password.
While the vulnerability apparently demands local access, the researchers observed that even a remote attacker could exploit the flaw. The adversary could use the onboarded software to connect to an external server. This remote connection would then continue even in the device’s sleep mode.
The second vulnerability was an information disclosure flaw that existed due to secure-delete functionality. In simple words, the robot won’t delete the stored data adequately even after a factory reset, exposing it to malicious access.
The researchers contacted the vendors to inform them of the flaws after this discovery. They proposed disabling the remote access SSH to mitigate the shared password issue and to set unique hard-coded passwords for every device. They also suggested implementing the secure-delete functionality to ensure proper data removal after a factory reset.
Following their report, the vendors patched the vulnerabilities that the researchers also confirmed. So now, all Ebo Air users should ensure updating their device’s firmware to receive the fixes.