Description

ECOVACS robot lawn mowers and vacuums use a shared, static secret key to encrypt BLE GATT messages. An unauthenticated attacker within BLE range can control any robot using the same key.

INFO

Published Date :

2025-01-23T16:38:48.017Z

Last Modified :

2025-02-12T17:11:14.933Z

Source :

cisa-cg
AFFECTED PRODUCTS

The following products are affected by CVE-2024-12078 vulnerability.

Vendors Products
Ecovacs
  • Airbot Andy
  • Airbot Andy Firmware
  • Airbot Ava
  • Airbot Ava Firmware
  • Airbot Z1
  • Airbot Z1 Firmware
  • Deebot 900
  • Deebot 900 Firmware
  • Deebot N10
  • Deebot N10 Firmware
  • Deebot N8
  • Deebot N8 Firmware
  • Deebot N9
  • Deebot N9 Firmware
  • Deebot T10
  • Deebot T10 Firmware
  • Deebot T20
  • Deebot T20 Firmware
  • Deebot T8
  • Deebot T8 Firmware
  • Deebot T9
  • Deebot T9 Firmware
  • Deebot X1
  • Deebot X1 Firmware
  • Deebot X2
  • Deebot X2 Firmware
  • Goat G1
  • Goat G1 Firmware
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-12078.

URL Resource
https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf cve-icon cve-icon
https://youtu.be/_wUsM0Mlenc?t=2041 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact