Robot vacuum maker Dreame has faced a critical security flaw in its smartphone app, leaving it susceptible to leaking user data and credentials if targeted by hackers. The vulnerability was discovered by security researcher Dennis Giese, who attempted to establish contact with the company as early as 2021 but failed to get a reliable response.

Giese reported the vulnerability to US cybersecurity agency CISA (Cybersecurity and Infrastructure Security Agency), which reproduced the exploit and assigned it a "low attack complexity" level in an alert published last week. This means that the hack is not difficult to pull off for a sophisticated attacker.

The security flaw, known as a misconfigured check for security certificates in the app, allows network administrators to pretend to be Dreame's own servers and intercept user data. Captured communications may include user credentials and sensitive session tokens, according to CISA's advisory note.

Dreame Technology did not respond to CISA's request for coordination, but the ABC was able to verify the exploit by connecting a smartphone to a wi-fi network set up by Giese. The researcher was able to intercept our password when we logged into the Dreame app.

Despite being certified as secure by multinational testing company TÜV SÜD, which has performed professional security tests and document reviews on Dreame's robot vacuum cleaners, it appears that the app itself was not thoroughly tested. TÜV SÜD did not respond to our questions about this certification process.

This vulnerability is the second one to hit a major home robotics company in as many years, increasing scrutiny on Australia's plans to launch a cybersecurity rating scheme for smart devices. The scheme aims to allow Australians to make more informed decisions about the security of devices they buy.

Australia will implement its own cybersecurity labelling scheme in 2027, which will rate devices based on their cybersecurity protections. However, experts warn that current security standards may provide a "false sense of security" and that extra requirements are needed for device testing, including robust vulnerability testing and disclosure.

"Companies in today's economy win by being first to market, not necessarily by building the most secure product," says Viden Labs CEO Anthony Barnes. The current security standards only cover three of the 13 baseline security controls under the ETSI EN 303 645 standard, which is not effective in identifying security vulnerabilities.

Industry leader Frank Zeichner adds that while there is international momentum behind the ETSI standard, manufacturers will likely ignore it. The co-design process for Australia's scheme may only cover devices themselves, not their connecting apps, so the Dreame vulnerability would not have been caught.

This article was written by [Your Name] and first published on [Date of Publication]. It has been edited for readability and clarity.