In an eye-catching revelation, a security researcher named Sammy Azdoufal uncovered a vast security flaw in DJI’s Romo robotic vacuum system. While attempting to navigate his own robot vacuum with a PlayStation controller, Azdoufal discovered a network of approximately 7,000 remote-controlled DJI robots, inadvertently exposing privacy issues for countless users.
Initially, DJI had begun addressing vulnerabilities before Azdoufal brought this major issue to light. However, uncertainty lingered regarding whether he would receive compensation for his findings, especially considering the company’s controversial history with past security researchers.
As of now, DJI has confirmed that it will reward Azdoufal with $30,000 for one of his discoveries. While the company did not specify which exact issue prompted the payout, they acknowledged rewarding an unnamed researcher for their work.
In addition to the financial incentive, DJI informed us they have already patched a vulnerability that allowed unauthorized access to the video streams of Romo vacuums, eliminating the need for a security PIN. A DJI spokesperson reported that this security observation was effectively addressed by late February.
Yet, the conversation does not end there. A significant vulnerability previously hinted at by Azdoufal remains unresolved, though DJI indicates they are actively working on it. The company states that a series of updates aimed at enhancing the entire system will be implemented over the next month.
DJI has also released a public blog post detailing their commitment to improving Romo security. They assert that they identified the original issue independently, while crediting two external researchers for their findings.
Interestingly, DJI’s blog suggests they have resolved this issue but acknowledges that multiple vulnerabilities exist, and they could take up to a month to fully address.
Certifications for the Romo’s security—such as ETSI, EU, and UL—are raising eyebrows among stakeholders given the scope of the accessibility issues unveiled by Azdoufal. The company has committed to ongoing testing, patching, and independent audits to fortify their products’ security.
In a bid to foster better relationships with the security research community, DJI plans to unveil new avenues for collaboration in the near future.
As the story continues to evolve, it highlights the critical importance of cybersecurity in consumer technology, making it clear that consistent oversight and cooperation with researchers are paramount for user safety.
