Security Advisory - Missing TLS Certificate Validation in App Initial
Initial Release Date: December 17, 2024Update Date: December 17, 2024
Vulnerability Overview
A vulnerability has been identified in ECOVACS' robot lawn mower and vacuum plugins, where TLS certificate validation is ignored. Attackers may exploit this vulnerability, causing the plugins to leak information and bypass TLS certificate warnings, potentially leading to security risks.
Vulnerability Source
The vulnerability information was provided by Dennis Giese and Braelynn Luedtke. We sincerely appreciate their contributions to the security of ECOVACS products.
Versions and Fixes
App: Version 3.0.0 and later has addressed this issue. Please update to the latest app version
Firmware:
| Affected Products | Patched Versions |
| X2 OMNI | 1.76.6 |
| X2 COMBO | 1.81.10 |
| X2S | 1.49.0 |
| X2 PRO-ip3mmy | 1.76.6 |
| X5 PRO | 1.70.0 |
| Mate X | 1.44.18 |
| X5 PRO PLUS | 1.38.0 |
| X5 PRO ULTRA | 1.17.0 |
| X1 OMNI, X1 TURBO, X1 PRO OMNI | 2.4.41 |
| X1, X1 PLUS | 1.7.3 |
| X1S PRO | 2.5.31 |
| X1S PRO PLUS | 1.23.0 |
| X1e OMNI-bro5wu | 2.4.42 |
| T10 TURBO-9s1s80 | 1.10.0 |
| T10 PLUS-rss8xk | 1.7.5 |
| T10-jtmf04 | 1.7.5 |
| T10 OMNI-lx3j7m | 1.9.0 |
Version Access
Firmware Version: Devices that support automatic updates will receive system update notifications. We have proactively pushed the update to all active users. Users can complete the fix by performing the system update.
App Version: Please update to the latest version based on your device type through the respective app store: iOS users can search for and update our app on the App Store; Android users can update via the Google Play Store. Additionally, you can visit our official website or app download center to manually download and install the latest version.
FAQs
None.
Security Incident Response
ECOVACS is committed to ensuring the best interests of our product users. We adhere to responsible disclosure principles and address security issues through our product security management process.
To report security issues related to ECOVACS products and solutions, please contact us at: product-security@ecovacs.com
ECOVACS will continue to monitor developments related to this vulnerability. Ongoing investigations are still in progress. If there are any changes, this advisory will be updated promptly. Please stay tuned for further updates.
