Two vulnerabilities have surfaced in Dongguan Diqee 360 smart vacuum cleaners that could allow an attacker to spy on its owner and take over the vacuum. The first vulnerability CVE-2018-10987 can be exploited remotely. All Diqee 360 devices are created with the same default admin password 888888. Very few users actually change this, which makes it easier for an attacker to integrate it into their exploit chain. This could allow an attacker to take over the camera and see inside houses or offices and control the vacuum. The second vulnerability CVE-2018-10988 requires physical access and could allow an attacker to replace the firmware with a malicious version. This can be done by inserting a microSD card into the 360 vacuum. Researchers warn that these two vulnerabilities could possibly affect other Dongguan devices which include surveillance cameras, smart doorbells, and DVR’s that run the same vulnerable code.