One Hacked Shark Robot Vacuum Can Hand an Attacker the Keys to Every Shark Vacuum in the Region
A researcher pulled a security key off a $500 robot vacuum and used it to run commands on other people's Shark vacuums, including reading their Wi-Fi passwords in plaintext.

Key points
- A researcher known as tokay0 published a method on Monday showing how a single Shark RV2320EDUS robot vacuum can be used to control other Shark vacuums across the same Amazon cloud region.
- The attack lets someone watch the robot's camera, drive it around a stranger's home, download the map of the house, and read the Wi-Fi password in plaintext.
- The key that unlocks this access, a digital certificate, sits on the vacuum's memory chip and can be pulled off with physical access to one device.
- Shark's parent company SharkNinja has not issued a public fix at the time of writing.
A security researcher has shown that owning one Shark robot vacuum is enough to poke around inside other people's Shark vacuums, provided they sit in the same Amazon cloud region.
The researcher, who publishes under the handle tokay0, put the write-up online on Monday. The finding was surfaced by The Hacker News.
The target is the Shark RV2320EDUS, a mid-range robot vacuum with a camera and a companion app. Tokay0 bought one, opened it up, and read the contents of its flash memory, the small chip inside the device that stores its software and secrets.
On that chip sat a digital certificate. Think of a certificate as an ID card the vacuum shows to Shark's cloud servers to prove it is a genuine Shark device. The problem: this ID card is not unique to one vacuum. It works for the whole fleet.
How bad is this for ordinary Shark owners?
Bad, if a determined person with one vacuum decides to go looking. Once tokay0 had that certificate, he could talk directly to the Amazon Web Services (AWS) backend that Shark uses to manage its vacuums. AWS is the cloud platform, run by Amazon, that hosts the servers Shark's app relies on.
From there, according to the writeup, an attacker can send root commands to other vacuums in the same AWS region. Root means full administrator control, the highest level of access a device offers.
That control includes:
- Turning on the camera and watching the live feed inside someone's home.
- Driving the vacuum around the house on demand.
- Pulling the stored map the vacuum has built of the property's floor plan.
- Reading the home Wi-Fi network name and password, stored on the device without encryption.
The Wi-Fi credential exposure is the sharpest edge here. Once someone has your Wi-Fi password, they are inside your home network, next to your laptop, your smart TV, and anything else you have connected.
Tokay0 says he tested the technique only against vacuums he owned, which is the responsible way to do this work. But the underlying flaw, a shared certificate baked into the hardware, is not a bug he introduced. It is a design choice by the manufacturer.
What has Shark said?
At the time of writing, SharkNinja, the company behind the Shark brand, has not published a security advisory or issued a firmware update to address the report. Threat Vectr will update this piece if that changes.
Because the credential is embedded in the hardware and reused across devices, a fix is not a small matter. SharkNinja would need to rotate the certificate, push new firmware to every affected vacuum, and change how its cloud verifies devices.
Regulators may take an interest. The U.S. Federal Trade Commission has warned smart-home manufacturers repeatedly about storing Wi-Fi passwords in plaintext and about weak device authentication. In the UK, the Product Security and Telecommunications Infrastructure Act (PSTI) already bans shipping consumer devices with shared or default credentials.
What should Shark vacuum owners do?
A few practical steps, no panic required.
- If your Shark robot has a camera and you are not using it, put a small piece of tape over the lens.
- Change your home Wi-Fi password after removing the vacuum from the app, then re-add it. This will not fix the underlying flaw, but it invalidates any password an attacker may have already pulled.
- Put smart home gadgets on a separate guest Wi-Fi network so they cannot see your laptop or phone.
- Watch SharkNinja's support page for a firmware update and install it as soon as one appears.



