HackMyIP
← Back to News
2026-07-16 The Hacker News

Critical Unpatched Shark Vacuum Flaw Lets Attackers Seize Devices Region-Wide

VulnerabilityCloud SecurityAuthentication

A serious unpatched vulnerability in SharkNinja robot vacuums allows attackers to extract device certificates from the hardware and use them to issue commands on other Shark vacuums sharing the same AWS region, including watching live camera feeds, steering the robot, and stealing the home Wi-Fi password in plaintext. Independent researcher tokay0 published the full exploit chain on Monday after testing it only against devices he personally purchased, warning that SharkNinja has been aware of the report since March. The flaw spans the Shark RV2320EDUS and AV1102ARUS models and stems from a misconfigured AWS IoT policy attached to the device certificate.

The attack begins with physical access: opening the vacuum exposes UART pins on the mainboard, where an unprotected U-Boot console paired with an init=/bin/sh boot argument drops the attacker into a root shell without credentials. From there, the per-device private key and X.509 certificate sit in plain files under /mnt/res/vapp/certs/, ready to be copied off. Because the AWS IoT policy on the certificate was never scoped to the specific device that holds it, presenting that certificate to Shark's MQTT broker grants publish and subscribe access to $aws/things/#, covering every device the broker serves. Operators can verify their own certificate hygiene with an SSL/TLS checker to confirm whether pinning is properly enforced. Amazon documented the same misconfiguration pattern as IOT_POLICY_OVERLY_PERMISSIVE_CHECK and rates it critical, warning that a stolen certificate carrying that policy allows an attacker to "read or modify shadows, jobs, or job executions for all your devices."

Once the attacker is authenticated to the broker, exploitation is trivial. The AWS device shadow document carries an Exec_Command field that the on-device management daemon appd reads and passes to a function named execute_command, which runs any payload under 1,000 bytes through popen. A shadow update addressed to any target device's topic triggers the handler, returning a reverse shell on the victim robot. tokay0 demonstrated this against an AV1102ARUS used purely as a target, streaming the onboard camera while remotely driving the unit across the floor. Any homeowner concerned about exposed network services on smart devices can scan their perimeter with a port scanner to spot unexpected listeners.

The blast radius is regional by design rather than by mitigation: certificates are pinned to the AWS region where they were provisioned, so a key lifted in one region only reaches vacuums in that region. A second compromised certificate is needed to cross regions. Still, any vacuum that runs the Exec_Command handler remains a viable target even if its own certificate is correctly scoped, and SharkNinja had not published a fix at the time of disclosure. Users of any IoT appliance should isolate smart devices on a segmented VLAN, rotate Wi-Fi credentials periodically, and check exposed accounts with an email breach checker to ensure credentials harvested from a compromised home network have not appeared in public leak corpora.

Source: The Hacker News →

Related Tools

Check whether this kind of story affects you — free, no signup:

SSL/TLS Checker →Security Headers Check →Password Checker →

Related Guides

Learn the background behind this story:

What is SSL/TLS? →HTTPS explained →HTTP security headers explained →