DJI Pays $30K After Security Flaw Gave Control of 7,000 Robot Vacuums
A software engineer’s attempt to connect a PlayStation 5 controller to his new DJI Romo robot vacuum inadvertently exposed a significant security vulnerability, granting him access to a network of approximately 7,000 devices worldwide. The incident, initially reported in February, has now resulted in DJI rewarding the researcher, Sammy Azdoufal, with $30,000.
From Gamepad to Global Access
Azdoufal, head of AI at a vacation property management company, used the AI coding assistant Claude Code to reverse-engineer the communication between his Romo and DJI’s servers. What began as a personal project quickly revealed a startling flaw: he wasn’t just controlling his own robot vacuum. He had access to live camera feeds, microphone audio, and mapping data from thousands of other Romo devices across 24 countries.
DJI’s Response and the Bug Bounty
DJI initially stated it was addressing the vulnerabilities, but questions remained about whether Azdoufal would be compensated for his discovery, particularly given past issues with security researchers. The company has now confirmed it has “rewarded” an unnamed security researcher – confirmed to be Azdoufal – for their perform. While DJI hasn’t specified which vulnerability earned the $30,000, they have addressed the issue allowing access to video streams without a PIN code, resolving it by late February.
Ongoing Security Concerns
Yet, the initial vulnerability that prompted widespread concern remains under investigation. DJI states it is working on a fix and anticipates full implementation within a month. The company maintains it discovered the original issue independently, while also acknowledging the contributions of “two independent security researchers.”
The Broader Implications for IoT Security
This incident highlights the growing security risks associated with the proliferation of Internet of Things (IoT) devices. The ease with which Azdoufal gained access to thousands of devices raises serious questions about the security standards of connected home technology. DJI claims the Romo already has ETSI, EU, and UL certifications for security, but this case demonstrates that certifications alone may not be sufficient to prevent vulnerabilities.
The Rise of Accidental Hackers
Azdoufal’s story isn’t unique. The increasing accessibility of AI tools like Claude Code empowers individuals to explore and potentially uncover vulnerabilities in complex systems. This trend suggests a future where “accidental hackers” – individuals without malicious intent – play a crucial role in identifying and addressing security flaws.
Pro Tip: Secure Your Smart Home
Change default passwords immediately. Many IoT devices come with easily guessable default credentials. Updating these is the first line of defense.
What’s Next for DJI and IoT Security?
DJI has pledged to deepen its engagement with the security research community and introduce new partnership opportunities. This is a positive step, but the incident underscores the need for proactive security measures throughout the entire IoT ecosystem. Manufacturers must prioritize security by design, conduct rigorous testing, and provide ongoing updates to address emerging threats.
Did you know?
Sammy Azdoufal didn’t intentionally set out to hack 7,000 robot vacuums. His initial goal was simply to connect a gaming controller to his new device.
FAQ
Q: What is the DJI Romo?
A: The DJI Romo is a robot vacuum cleaner manufactured by DJI.
Q: How did Sammy Azdoufal gain access to the devices?
A: He used an AI coding assistant to reverse-engineer the communication between his Romo and DJI’s servers.
Q: How much money did DJI pay Azdoufal?
A: DJI paid Azdoufal $30,000.
Q: Is my robot vacuum secure?
A: This incident highlights the importance of securing all IoT devices. Change default passwords and keep firmware updated.
Q: What is DJI doing to fix the problem?
A: DJI has addressed the PIN code vulnerability and is working on a fix for the more significant security flaw, expecting completion within a month.
Want to learn more about IoT security best practices? Read The Verge’s original report on the DJI Romo hack.
