CVE-2019-12821

Name of the Vulnerable Software and Affected Versions Shenzhen Jisiwei i3 robot vacuum cleaner app version 2.0

Description A security issue was discovered in the app, related to adding a device to an account using a QR-code. The QR-code pattern is easily predictable and depends on the device ID of the robot vacuum cleaner. This predictability allows for generating a QR-code that can connect an arbitrary device, granting full access to it. The device ID starts with "JSW" followed by a six-digit number specific to each device.

Recommendations For app version 2.0, consider restricting access to device addition functionality via QR-code until a more secure method of device pairing is implemented. As a temporary workaround, avoid using the QR-code method for adding devices to accounts to minimize the risk of unauthorized access.