CVE-2019-12820

Name of the Vulnerable Software and Affected Versions Shenzhen Jisiwei i3 robot vacuum cleaner app version 2.0

Description A security issue was discovered in the app, where actions like changing passwords and communicating personal information with the server use unencrypted HTTP. For instance, login requests to a Jisiwei account are sent in cleartext. This affects both Android and iOS versions of the app. An attacker could exploit this using a Man-in-the-Middle (MiTM) attack on the local network to obtain login credentials, granting full access to the robot vacuum cleaner.

Recommendations For app version 2.0, consider disabling the login functionality until a secure version of the app is available, and avoid using the app on untrusted networks to minimize the risk of exploitation.