Shark robot vacuum flaw exposes home cameras and Wi-Fi passwords

A flaw in Shark's cloud connected robot vacuums could let one hacked device become a skeleton key to spy on other homes through their cameras, steal Wi-Fi passwords and copy floor plans. A researcher using the handle tokay0 took apart a Shark RV2320EDUS vacuum and found that its embedded Amazon Web Services certificate is allowed to talk to every other Shark device in the same cloud region, not just itself.

How the flaw works

Each vacuum is supposed to have its own private cloud "inbox" for storing state and receiving commands. Shark's overly broad messaging policy lets a certificate pulled from one device send commands to other vacuums' inboxes across the same AWS region. Extracting that certificate needs physical access and a debug console, but once an attacker has it, the abuse is entirely remote. Over a single 24 hour window in one region the researcher counted more than 1.5 million unique Shark serial numbers, and roughly 44 percent responded in a way that suggested they supported remote command execution.

What an attacker could do

According to the researcher, that cloud access could let someone watch the vacuum's camera as a mobile surveillance device inside a home, steal the Wi-Fi password (said to be stored in plaintext) for a foothold on the local network, and copy the home's map to learn room layouts and daily routines.

Why it matters

This is a server side misconfiguration, not a firmware bug owners can patch themselves. The researcher says SharkNinja was notified more than six months ago and has not fixed it. It is the latest reminder that cutting corners on the security of internet connected household and infrastructure devices, from vacuums to EV charging stations, keeps turning convenience features into surveillance and network risks.

What you should do

Until Shark ships a fix, owners can disable remote control or disconnect the vacuum from Wi-Fi when its smart features are not needed, watch for a vendor patch, CVE or recall, and press the vendor to close the hole. On the network side, isolating smart home gadgets on a separate guest or IoT network limits what a compromised device can reach.

This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.

Read the full analysis on IntelFusions