Shark vacuum flaw exposes cameras, home maps and Wi-Fi passwords


Shark’s cloud-connected robot vacuums are currently exposed by an unpatched AWS (Amazon Web Services) IoT (Internet of Things) policy flaw that could turn one compromised device into a remote-control skeleton key for many others in the same region, with access to cameras, maps, and Wi‑Fi passwords.

A researcher using the handle tokay0 took apart a Shark RV2320EDUS robot vacuum and found that its embedded AWS IoT certificate is allowed to publish and subscribe to topics for any Shark device in the same AWS Region, not just itself.

An AWS Region is a distinct geographical location where Amazon clusters its cloud data centers. Each AWS Region is completely isolated from the others. There are currently 39 AWS Regions worldwide.

Read more…
Source:  Malware Bytes Labs


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • Three Steps to the Terminal: A Siemens ROX II Zero-Day Trilogy

    July 17, 2026

    Palo Alto Unit 42 conducted this research in close partnership with Siemens, reflecting their shared commitment to advancing the security and resilience of critical infrastructure. This report details a critical, chained exploit comprising three zero-day vulnerabilities (CVE-2025-40948, CVE-2025-40947, and CVE-2025-40949) discovered in Siemens ROX II operational technology (OT) switches. Successful exploitation of this chain would allow ...

  • Shark vacuum flaw exposes cameras, home maps and Wi-Fi passwords

    July 17, 2026

    Shark’s cloud-connected robot vacuums are currently exposed by an unpatched AWS (Amazon Web Services) IoT (Internet of Things) policy flaw that could turn one compromised device into a remote-control skeleton key for many others in the same region, with access to cameras, maps, and Wi‑Fi passwords. A researcher using the handle tokay0 took apart a Shark RV2320EDUS robot vacuum and ...

  • Attackers target critical FortiSandbox flaws as CISA issues patch order

    July 17, 2026

    Fortinet admins have two more reasons to clear their calendars after CISA confirmed a pair of critical FortiSandbox bugs are being actively exploited. The two bugs, tracked as CVE-2026-39808 and CVE-2026-25089, both carry CVSS scores of 9.1 and affect FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS. According to Fortinet, they are OS command injection flaws that allow ...

  • Top AI tools such as OpenClaw and Github Copilot can be hijacked to create new massive botnets

    July 15, 2026

    Your favorite AI service could be subverted to deploy code that turns your phone or PC into a botnet, according to researchers at Intuit, Technion, and Tel Aviv University. The technique has been given the name HalluSquatting, a portmanteau of adversarial hallucination squatting, and is similar to typosquatting in that it relies on a mistake in ...

  • Microsoft tops last month’s record with 622 Patch Tuesday CVEs

    July 14, 2026

    Remember last month when we were awed by Microsoft’s record-setting Patch Tuesday that addressed 206 CVEs? That was a quaint era compared to this month: Redmond just rolled out patches for 622 CVEs specific to its products, slightly more than tripling last month’s all-time high. Redmond’s Patch Tuesday release is once again one for the record books, with everything under ...

  • Two Chrome updates in two days fix critical vulnerabilities

    July 10, 2026

    Updating Chrome is becoming an almost daily task lately. But it’s too important to ignore. On Wednesday, July 8, Google released another Chrome update, just one day later after the previous one. Between them, the two updates fixed 27 security vulnerabilities, including two critical flaws that could be exploited to compromise Chrome. Google says both are “use-after-free” memory vulnerabilities, which ...