Security Assessment Conducted by KISA and the Korea Consumer Agency
40 Security Criteria Reviewed Across Six Robot Vacuum Cleaner Models
Security vulnerabilities that could lead to privacy exposure and personal information leaks have been discovered in some Chinese-made robot vacuum cleaners, prompting a warning for users to exercise caution.
The Korea Internet & Security Agency (KISA) and the Korea Consumer Agency jointly investigated the security status of six robot vacuum cleaner models currently available on the market. On September 2, they announced that some products were found to have security vulnerabilities that could result in privacy violations and personal information leaks.
Robot vacuum cleaners are Internet of Things (IoT) devices that communicate with external servers using cameras and sensors. While their convenience and efficiency have led to increased usage, insufficient security measures can result in the leakage of personal information, so extra caution is required.
KISA and the Korea Consumer Agency evaluated the six products in the investigation across three categories: 'mobile app security' for controlling and configuring the robot vacuum, 'policy management' including the manufacturer's security update and privacy protection policies, and 'device security' covering hardware, network, and firmware (embedded software). A total of 40 items were inspected.
In the mobile app security assessment, three Chinese brands-Narwal, Dreame, and Ecovacs-were found to have insufficient user authentication procedures, making them vulnerable to unauthorized access or manipulation. As a result, security flaws were identified that could expose private information, such as photos taken inside the home being leaked externally or the camera function being forcibly activated.
One Dreame product was found to have inadequate personal information management, revealing a vulnerability that could lead to the leakage of user information such as names and contact details. While the risk of exploitation in typical usage environments is relatively low, there is potential for abuse by advanced hackers. The manufacturer was immediately instructed to take corrective action, which has since been completed.
In the device security assessment, the hardware security level of two products-Dreame and Ecovacs-was found to be relatively low. Across all products investigated, firmware security settings were generally insufficient, raising the possibility that the internal security structure of the devices could be exposed externally.
Among the six products reviewed, two models from Samsung Electronics and LG Electronics received high marks in the overall evaluation due to their well-established access permission settings, anti-tampering features, secure password policies, and update policies.
KISA and the Korea Consumer Agency recommended that all six manufacturers take measures to enhance security, including improvements to mobile app authentication procedures, hardware protection, and firmware security. In response, all six companies submitted quality improvement plans.
Consumers are advised to set secure passwords and perform regular security updates when using robot vacuum cleaners, paying attention to basic security practices.
KISA and the Korea Consumer Agency plan to continue working together to strengthen security management for IoT products such as robot vacuum cleaners. They will also share the findings of this investigation with the Ministry of Science and ICT and expand policy and technical cooperation to improve the security of IoT devices.
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
