Shark Robot Vacuums Expose Home Networks Via AWS IoT Flaw
A critical vulnerability in Shark's AWS IoT policy allows a compromised robot vacuum to access other devices, potentially exposing cameras, home maps, and Wi-Fi passwords.

A significant security flaw has been discovered in the cloud infrastructure of Shark's internet-connected robot vacuums, potentially turning these household appliances into tools for remote surveillance and network intrusion. A security researcher, operating under the handle tokay0, found that an AWS (Amazon Web Services) IoT policy misconfiguration allows a compromised vacuum's digital certificate to control other Shark devices within the same geographical AWS Region.
This overly permissive policy means that a certificate, once extracted from a single vacuum (which currently requires physical access and a debug console), can interact with the "shadows" of other vacuums. These shadows are cloud-based data stores that hold device state, configuration, and commands. Shark's flawed policy, however, permits unauthorized access to these shadows, effectively granting an attacker the ability to send commands to any Shark vacuum in the affected region, not just the one whose certificate was stolen.
The implications for homeowners are severe. An attacker with this cloud-based access could potentially leverage the vacuum's camera to spy on activities within the home, effectively turning the device into a mobile surveillance unit. Furthermore, the researcher claims that Wi-Fi passwords are stored in plaintext on the devices, meaning an attacker could steal these credentials and gain a foothold on the user's home network.
Beyond surveillance and network access, the vulnerability also allows for the exfiltration of the vacuum's map of the home. This map data can reveal detailed layouts of residences, including frequently used areas, posing a significant privacy risk. This incident echoes previous concerns raised about smart home devices, where inadequate security practices by manufacturers have led to privacy and safety issues.
During a 24-hour observation period in a single AWS Region, the researcher identified over 1.5 million unique Shark serial numbers. Crucially, approximately 44% of these devices, totaling over 673,000, responded in a manner indicating support for remote command execution, suggesting a widespread impact across Shark's IoT device ecosystem.
The core of the problem lies in the server-side AWS IoT policy, which is not sufficiently restrictive. This means it's not a firmware issue that users can patch themselves; the fix must come from SharkNinja. Despite being notified of the vulnerability over six months ago, the company has yet to release a patch or publicly address the issue.
Until Shark implements a fix, users are advised to limit the smart features of their vacuums, such as disabling remote control or disconnecting them from Wi-Fi if advanced functionality is not required. Consumers are encouraged to monitor Shark's official channels for any announcements regarding a resolution, potential CVE identification, or product recall.
This incident underscores the critical importance of robust security configurations for cloud-connected devices. As more IoT devices enter our homes, the potential for widespread privacy breaches and network compromises increases, highlighting the need for manufacturers to prioritize security from the design phase.