Shark’s cloud-connected robot vacuums are currently exposed by an unpatched AWS (Amazon Web Services) IoT (Internet of Things) policy flaw that could turn one compromised device into a remote-control skeleton key for many others in the same region, with access to cameras, maps, and Wi‑Fi passwords.
A researcher using the handle tokay0 took apart a Shark RV2320EDUS robot vacuum and found that its embedded AWS IoT certificate is allowed to publish and subscribe to topics for any Shark device in the same AWS Region, not just itself.
An AWS Region is a distinct geographical location where Amazon clusters its cloud data centers. Each AWS Region is completely isolated from the others. There are currently 39 AWS Regions worldwide.
By design, AWS provides per-device “shadows” that store state such as configuration and commands. However, Shark’s overly permissive Message Queuing Telemetry Transport (MQTT) policy lets a stolen certificate talk to other vacuums’ shadows as well.
Simply put, this means that each vacuum is supposed to have its own private “inbox” in the cloud. Because Shark’s cloud rules are too broad, a certificate stolen from one vacuum can also send commands to other vacuums’ inboxes.
While the certificate was extracted from the vacuum using physical access and a debug console, meaning the initial compromise requires hands‑on access, the subsequent abuse is remote and cloud‑based.
For owners, this is not just about someone starting your vacuum at 3:00 am. According to the researcher, an attacker with that cloud access could:
- Watch from the vacuum’s camera, turning it into a mobile surveillance device inside your home.
- Steal the Wi‑Fi password, which the researcher says is stored in plaintext, potentially giving them a foothold on your local network.
- Copy the vacuum’s map of your house, revealing room layouts and how frequently different areas are used.
We have seen before how “smart” vacuums can become privacy and safety risks when vendors cut corners on security. Malwarebytes Labs has covered how Ecovacs robot vacuums could be hijacked to play obscene messages and spy on users through their speakers and sensors, showing how quickly a helpful household appliance can become an unwanted house guest.
Using the certificate from his own vacuum, the researcher was able to monitor traffic from Shark devices in the same AWS Region and determine which ones supported remote command execution. During a 24‑hour period in a single AWS Region, the researcher observed 1,517,605 unique Shark serial numbers and observed 673,816 devices (about 44%) responded in a way that indicated support for the remote command execution feature.
The researcher wrote:
“It is difficult to estimate the exact number of affected devices and even more difficult to find which devices have these misconfigured certificates that allow cross-device publishing.”
But concluded that:
“A very large number of SharkNinja IoT devices are affected by this vulnerability.”
How to stay safe
The problem at the heart of this issue is a cloud-side policy that is not strict enough. That makes this a server-side problem, not a firmware bug you can patch yourself.
According to the researcher, SharkNinja has not fixed the vulnerability despite being notified more than six months ago. Until that changes, owners should:
- Put pressure on Shark to fix the issue.
- Disable remote control for the vacuum or disconnect it from Wi-Fi if you do not need its smart features.
- Watch for announcements from Shark about a fix, CVE, or recall.
Browse like no one’s watching.
Malwarebytes Privacy VPN encrypts your connection and never logs what you do, so the next story you read doesn’t have to feel personal. Try it free →




