CVE Vulnerability

CVE-2019-12821

A vulnerability was found in the app 2.0 of the Shenzhen Jisiwei i3 robot vacuum cleaner, while adding a device to the account using a QR-code. The QR-code follows an easily predictable pattern that depends only on the specific device ID of the robot vacuum cleaner. By generating a QR-code containing information about the device ID, it is possible to connect an arbitrary device and gain full access to it. The device ID has an initial "JSW" substring followed by a six digit number that depends on the specific device.

5.8 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 8.6 / Impact : 4.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact PARTIAL

Scope

4.8 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References
Link Resource
https://www.kth.se/polopoly_fs/1.914058.1561621210!/Olsson_Larsson-Forsberg_vacuum.pdf Exploit Technical Description
Configurations

Configuration 1
Information

Published : 2019-07-19 06:15

Updated : 2020-08-24 05:37

NVD link : CVE-2019-12821

Mitre link : CVE-2019-12821

Products Affected

I3 Firmware

Jisiwei

CWE
CWE-330