All that software engineer Sammy Azdoufal ever wanted was to connect his DJI robot vacuum cleaner to a PlayStation 5 controller. What actually happened was that he discovered a way to access a network of 7,000 remote-control DJI robots, enabling him to peek into other people’s homes. For this, he was rewarded $30,000 by DJI.
-
The vulnerability could have allowed access to live video feeds and real-time mapping data inside people's homes.
-
The drone giant rewarded the researcher for his findings and says it had already started patching the issue before it went public.
-
DJI says the fix has been rolled out automatically and is urging users to trust that security remains a top priority, though the incident is sure to raise eyebrows about smart home device safety.
Last month, Azdoufal tried to find a way to remotely control his DJI Romo vacuum with a PS5 controller. Instead, his remote control app began communicating with DJI’s servers. That’s how he, by accident, got access to approximately 7,000 robot vacuum cleaners, located all over the world.
The software engineer wasn’t just able to control them remotely: he could also listen in to the live feed of the cameras, watch them map the rooms of a house, and use the robot vacuum’s IP address to find their location.
Has your password leaked?
Azdoufal told The Verge all about the incident, which then went viral. He didn’t even have to hack into DJI’s servers to remotely control other people’s robot vacuums.
“I didn’t infringe any rules, I didn’t bypass, I didn’t crack, brute force, whatever,” he told the techsite.
DJI had already begun addressing some of the related vulnerabilities before Azdoufal publicly shared his discovery. Nevertheless, the company has paid him $30,000 for his findings, he wrote in an email to The Verge.
Recently, DJI published a blog post about strengthening the DJI Romo’s security, emphasizing that the company found out about the issue in the DJI Home app. In addition, the manufacturer credits “two independent security researchers” for simultaneously reporting the vulnerability through the company’s bug bounty program.
The conversation on this topic is live. Join in the discussion.
According to DJI, updates have been deployed to resolve the issue, which requires no user action. It also says that there’s no evidence that any user data was misused.
“Our customers place trust in our technology, and we do not take that lightly. We want to take this opportunity to reiterate to our user community that we will continue to invest in the strengthening of our products’ security across our existing programs. Security is a never-ending process, and we will continue to share developments along the way,” DJI concluded.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked