Particle.news

Shark Robot Vacuum Certificate Flaw Lets One Device Command Others in Same AWS Region

A misconfigured AWS IoT policy lets a stolen device certificate act as a regional skeleton key, requiring SharkNinja to change cloud policies or reissue scoped certificates to stop remote command and data access.

Overview

  • A security researcher who first reported the issue to SharkNinja on March 1 published a working method on July 13 showing how to extract a client certificate and use it to control other Shark vacuums in the same AWS region.
  • The flaw stems from an over‑permissive AWS IoT policy that allowed a device certificate to publish and subscribe to any $aws/things/* topic and from an Exec_Command field that the vacuum’s management daemon runs through a shell.
  • The researcher showed the certificate can be recovered with physical access to the vacuum’s mainboard via UART and U‑Boot, after which the certificate can be used remotely to read cameras, pull home maps, and extract plaintext Wi‑Fi credentials from other devices in the region.
  • In a 24‑hour probe of one AWS region the researcher observed 1,517,605 unique Shark serials and 673,816 devices that responded in a way that indicates they implement the Exec_Command handler, suggesting large-scale exposure.
  • There is no owner-side firmware fix needed; AWS Device Defender flags this policy shape as critical and remediation is done by SharkNinja replacing the policy or reissuing scoped certificates, so owners should disconnect affected vacuums from Wi‑Fi until the company acts.