CVE-2019-12821 Information

Description

A vulnerability was found in the app 2.0 of the Shenzhen Jisiwei i3 robot vacuum cleaner while adding a device to the account using a QR-code. The QR-code follows an easily predictable pattern that depends only on the specific device ID of the robot vacuum cleaner. By generating a QR-code containing information about the device ID it is possible to connect an arbitrary device and gain full access to it. The device ID has an initial \JSW\ substring followed by a six digit number that depends on the specific device.

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L

Reference

https://www.kth.se/polopoly_fs/1.914058.1561621210!/Olsson_Larsson-Forsberg_vacuum.pdf

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

LOW

Base Score

LOW

Base Severity

4.8