Filtered by vendor Neatorobotics Subscriptions
Filtered by product Botvac D3 Connected Firmware Subscriptions
Total 3 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2018-20785 1 Neatorobotics 14 Botvac Connected, Botvac Connected Firmware, Botvac D3 Connected and 11 more 2024-11-21 N/A
Secure boot bypass and memory extraction can be achieved on Neato Botvac Connected 2.2.0 devices. During startup, the AM335x secure boot feature decrypts and executes firmware. Secure boot can be bypassed by starting with certain commands to the USB serial port. Although a power cycle occurs, this does not completely reset the chip: memory contents are still in place. Also, it restarts into a boot menu that enables XMODEM upload and execution of an unsigned QNX IFS system image, thereby completing the bypass of secure boot. Moreover, the attacker can craft custom IFS data and write it to unused memory to extract all memory contents that had previously been present. This includes the original firmware and sensitive information such as Wi-Fi credentials.
CVE-2018-17178 1 Neatorobotics 10 Botvac D3 Connected, Botvac D3 Connected Firmware, Botvac D4 Connected and 7 more 2024-11-21 5.3 Medium
An issue was discovered on Neato Botvac Connected 2.2.0 devices. They execute unauthenticated manual drive commands (sent to /bin/webserver on port 8081) if they already have an active session. Commands like forward, back, arc-left, arc-right, pivot-left, and pivot-right are executed even though the web socket replies with { "message" : "invalid authorization header" }. Without an active session, commands are still interpreted, but (except for eco-on and eco-off) have no effect, since without active driving, a driving direction does not change anything.
CVE-2018-17177 1 Neatorobotics 12 Botvac 85 Connected, Botvac 85 Firmware, Botvac D3 Connected and 9 more 2024-11-21 2.4 Low
An issue was discovered on Neato Botvac Connected 2.2.0 and Botvac 85 1.2.1 devices. Static encryption is used for the copying of so-called "black box" logs (event logs and core dumps) to a USB stick. These logs are RC4-encrypted with a 9-character password of *^JEd4W!I that is obfuscated by hiding it within a custom /bin/rc4_crypt binary.