Security Advisory - Insufficient PIN Validation for Live Video Feed Access in App

Initial Release Date: December 17, 2024
Update Date: December 17, 2024

Vulnerability Overview
CWE-603: Use of Client-Side Authentication
ECOVACS' robot lawn mowers and vacuums have an insecure PIN validation issue for live video feed access. Attackers may exploit this vulnerability to access the live video feed without proper PIN validation.

Vulnerability Source
The vulnerability information was provided by Dennis Giese and Braelynn Luedtke. We sincerely appreciate their contributions to the security of ECOVACS products.

Versions and Fixes
App: Version 3.0.2 and later has addressed this issue (server-side functionality has been released). Please update to the latest app version.

Version Access
App Version: Please update to the latest version based on your device type through the respective app store: iOS users can search for and update our app on the App Store; Android users can update via the Google Play Store. Additionally, you can visit our official website or app download center to manually download and install the latest version.

FAQs
None.

Security Incident Response
ECOVACS is committed to ensuring the best interests of our product users. We adhere to responsible disclosure principles and address security issues through our product security management process.
To report security issues related to ECOVACS products and solutions, please contact us at: product-security@ecovacs.com

ECOVACS will continue to monitor developments related to this vulnerability. Ongoing investigations are still in progress. If there are any changes, this advisory will be updated promptly. Please stay tuned for further updates.

We use cookies to personalise content, analyse our traffic, and deliver our services. By using our websites or services, you agree to our use of cookies. Learn More