Back to news
Cybersecurity Alert
July 17, 2026 by EmailMeNow IT Consulting

Shark Robot Vacuums Exposed by Unpatched AWS IoT Flaw Affecting Millions

Researcher tokay0 disclosed an unpatched SharkNinja AWS IoT Core certificate-scoping flaw (Jul 13, 2026) enabling cross-device RCE, cameras, maps, and plaintext Wi-Fi keys. ~1.52M devices seen in one region; ~44% respond to command probes. Audits: irobot.com 68%, ecovacs.com 62%, roborock.com 61%, sharkninja.com 54%, sharkclean.com 46% — none at the 100% ideal.

Source: tokay0 research disclosure

NewsIoTVulnerabilitySmart HomeCybersecurity
Illustration of a connected robot vacuum linked to a cloud broker with a broken lock warning

A critical, still-unpatched weakness in SharkNinja’s AWS IoT Core access policies lets a certificate pulled from one internet-connected Shark robot vacuum authenticate to the cloud broker and send commands to other Shark devices in the same AWS region. Researcher tokay0 published the write-up on July 13, 2026 after months of responsible disclosure with no committed fix. Research models included RV2320EDUS and AV1102ARUS; the researcher states the issue affects all internet-connected Shark robot vacuums.

Illustration of a connected robot vacuum linked to a cloud broker with a broken lock warning

Flaw Snapshot

FieldDetail
DisclosedJuly 13, 2026 (tokay0)
Root causeOver-permissive AWS IoT Core MQTT policy on device certificates (not scoped to the holding device)
Broker pathMutual TLS to AWS IoT; device shadow field Exec_Command executed via shell (popen, <1000 bytes)
Initial cert theftPhysical UART + U-Boot interrupt on researched units
After thatRemote cross-device abuse in the same AWS region
Scale (1 region, ~24h)~1.52M unique serials; ~674k (44%) with Exec_Response / RCE capability signal; 10.5M+ MQTT messages
CVENone yet (MITRE CNA-LR request pending as of disclosure)
Patch statusUnpatched as of mid-July 2026 coverage — fix is server-side, not a consumer firmware flash
What attackers can reach after RCEWhy it matters
Camera feed / motorsSurveillance and physical control inside the home
House mapsLayout intelligence for follow-on attacks
Plaintext Wi-Fi PSKPivot onto the broader home LAN
App / cloud command pathAbuse of the same broker fleet owners already trust

Diagram-style illustration of a device certificate reaching a cloud broker and pivoting toward home Wi-Fi and maps

Disclosure Timeline

DateEvent
Mar 1, 2026Researcher contacts SharkNinja
Mar 11–12Technical details shared; company acknowledges
Apr 27Status: “under review”
Jun 990-day disclosure window ends
Jun 11CVE request via MITRE CNA-LR
Jul 3Company promises a completion date by Jul 10
Jul 10No completion date delivered (per researcher)
Jul 13Public write-up posted

Coverage from Malwarebytes and CyberPress confirms the cloud-policy framing and owner guidance while the broker remains open.

Nuance from the primary write-up: the second unit (AV1102ARUS) used for proof had a properly scoped certificate (no wildcard subscribe), while the first (RV2320EDUS) did not — suggesting bad policies were introduced in provisioning over time. The researcher still assesses all internet-connected Shark vacuums as in-scope for the class of flaw, and notes other Shark IoT products (e.g., smart grills / probes) were not fully investigated but may share architecture.

Other Brands That Share This Risk Class

Shark is the active disclosure — but the architecture is industry-wide: Bluetooth provisioning of the home SSID/password, Linux SoC + MCU split, on-device Wi-Fi credential storage, cameras/maps, and cloud MQTT/IoT hubs.

Brand / lineWhy it is in scope for owners
EcovacsDEF CON 2024 research (Dennis Giese & Braelynn Luedtke): Bluetooth foothold (ranges demonstrated up to ~450 ft / 130 m), shell, Wi-Fi credential extract — cited by tokay0 as a prior vacuum precedent
DJI ROMOResearcher notes a near-identical cloud/device RCE class discovered previously
RoborockSame BT + 2.4 GHz Wi-Fi + app/cloud + on-device reconnection secrets pattern
iRobot (Roomba)Cloud-connected mapping robots with home-network credentials on device
Dreame, Eufy/Anker, Xiaomi, Samsung Jet Bot, LG CordZeroComparable connected-cleaner stacks; treat as same hygiene class until vendors prove per-device least-privilege
Any AWS IoT Core / Azure IoT Hub applianceCertificate or token policies must be scoped per device — wildcard fleet access is the Shark failure mode

This is not a claim that every listed brand has the same open AWS wildcard today. It is a claim that the documented Shark path (cloud least-privilege failure + plaintext Wi-Fi PSK on a wheeled Linux box) is a pattern owners should assume until proven otherwise.

What Shark / SharkClean Owners Should Do Now

PriorityAction
1Disconnect Wi-Fi / disable app remote connectivity until SharkNinja confirms a scoped cloud policy — the durable fix is in their AWS account, not a home firmware flash
2Change the home Wi-Fi password, then re-pair IoT devices (invalidates any extracted PSK)
3Put vacuums/cameras/plugs on a guest / IoT VLAN with client isolation
4Prefer WPA3 where possible; many robots still need a dedicated 2.4 GHz SSID
5Disable unused camera / remote / cloud-mapping features
6Watch SharkNinja / SharkClean app notices for remediation; no CVE means scanners will lag

Independent Cybersecurity Audit

We scored Shark and peer robot-vacuum brand domains on July 17, 2026. Authority: audit.emailmenow.com only. 100% is the ideal. Sorted highest → lowest.

DomainOverallIdentityTransportWebsiteLevel
irobot.com68%50%45%87%Above Average
ecovacs.com62%70%15%43%Above Average
roborock.com61%35%15%87%Above Average
sharkninja.com54%35%15%65%Average
sharkclean.com46%35%15%37%Below Average
FindingDetail
Ideal score0 of 5 hit 100% overall
Soft Transport15% on Shark, Ecovacs, and Roborock hosts in this pass
Soft IdentityShark + Roborock Identity 35% — weak spoof resistance during “security update / reconnect Wi-Fi” phishing season
Strongest hereirobot.com at 68% with Website 87%
Phishing implicationExpect fake “SharkClean critical patch / reconnect your vacuum” mail while owners hunt for guidance

Bar chart of EmailMeNow audit scores for irobot.com, ecovacs.com, roborock.com, sharkninja.com, and sharkclean.com — 100% ideal

Audit links: irobot.com · ecovacs.com · roborock.com · sharkninja.com · sharkclean.com

Website stack note

Passive website-tech probes completed on July 17, 2026 for all five domains (5 probed, 0 notable, 0 errors). roborock.com was identified as Shopify, where core updates are vendor-managed; apps, themes, and administrator MFA still require merchant oversight. The other four hosts did not expose a CMS or PHP version in this pass. No outdated CMS, PHP EOL, known-CVE hint, or short-horizon TLS alert was reported.

These marketing-site results do not test the SharkNinja AWS IoT broker or invalidate the primary disclosure: the robot-vacuum risk is the cloud certificate policy and on-device Wi-Fi secrets.


Run a free Instant Cybersecurity Audit at audit.emailmenow.com or contact EmailMeNow IT Consulting for IoT network segmentation and phishing-season hardening.


Sources: tokay0 — Millions of Shark vacuums vulnerable to RCE · Malwarebytes · CyberPress · EmailMeNow audits — sharkninja.com · sharkclean.com · ecovacs.com · roborock.com · irobot.com