Deterministic Key Vulnerability in ECOVACS Robot Lawn Mowers and Vacuums
CVE-2024-52331

7.7HIGH

Key Information:

Vendor: Ecovacs
Status: Unspecified Robots
Vendor: CVE Published:; 23 January 2025

What is CVE-2024-52331?

ECOVACS robot lawnmowers and vacuums have a vulnerability that arises from the use of a deterministic symmetric key for decrypting firmware updates. This flaw allows an attacker to create malicious firmware that, once encrypted, can be installed on the device without detection. The implications of this vulnerability include unauthorized control over the device and the potential for exploitation of personal data collected by the robot, posing significant risks to user privacy and security.

Affected Version(s)

Unspecified robots *

References

https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ec...

https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-...

CVSS V4

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 23, 2025
Vulnerability Reserved
Nov 8, 2024

CVE-2024-52331 Data

JSON

Ecovacs

What is CVE-2024-52331?

Affected Version(s)

References

CVSS V4

Timeline