DJI will pay $30K to the man who accidentally hacked 7,000 Romo
DJI will pay security researcher Sammy Azdoufal $30,000 for discovering critical vulnerabilities in its Romo robot vacuums. Azdoufal accidentally accessed a network of 7,000 Romo devices, exposing privacy risks including PIN-less video access. While some issues are patched, a more severe vulnerability is still being addressed, with full system upgrades expected within a month.
DJI, the prominent drone manufacturer, has agreed to pay security researcher Sammy Azdoufal $30,000 for identifying critical vulnerabilities in its Romo robot vacuum cleaners. The payout follows Azdoufal's accidental discovery around Valentine's Day, where he gained access to a vast network of 7,000 remote-control Romo devices, exposing potential privacy risks by allowing unauthorized viewing into people’s homes. This development provides some clarity after initial uncertainty regarding DJI's response to the disclosure and its commitment to rewarding ethical hacking.
The Discovery and Initial Fallout
Azdoufal's journey began with a simple attempt to control his own DJI Romo robovac using a PlayStation gamepad. This innocuous experiment quickly escalated when he inadvertently stumbled upon an entire network of 7,000 Romo units, all seemingly accessible. His findings, later shared with The Verge, highlighted significant security gaps that could permit an outsider to "peek into other people’s homes" through the devices' cameras.
While DJI had reportedly begun addressing some security flaws even before Azdoufal's public disclosure, the extent of his access underscored the severity of the unpatched vulnerabilities. The situation drew comparisons to DJI's contentious interactions with security researcher Kevin Finisterre in 2017, casting doubt on whether Azdoufal would receive recognition or compensation for his work.
DJI's Response and the $30,000 Reward
Today, those questions have been partially answered. Azdoufal confirmed to The Verge that DJI would pay him $30,000, though the company did not specify which particular discovery the payment pertained to. DJI, while not publicly naming Azdoufal, confirmed it had "rewarded" an unnamed security researcher for their contributions.
The company also stated it has already tackled one of the major vulnerabilities Azdoufal identified: the ability for a user to view a Romo video stream without needing a security PIN. A statement from DJI spokesperson Daisy Kong noted, "We can confirm that the PIN code security observation was addressed by late February," indicating swift action on that specific flaw.
Addressing the Vulnerabilities: A Mixed Message
Concerns remain about an even more severe vulnerability, which The Verge initially deemed too sensitive to describe in its original report. DJI assured The Verge that this issue is also being actively addressed. "We have also started upgrading the entire system. This includes a series of updates, which we anticipate will be fully implemented within one month," DJI stated.
However, a public blog post published by DJI today regarding Romo security presented a slightly different picture. In the post, DJI claimed it discovered the original issue itself, while simultaneously crediting "two independent security researchers" for finding the same problem. The blog post also suggested a more immediate resolution, stating, "Updates have been deployed to fully resolve the issue," a claim that seemingly contradicts DJI's earlier projection to The Verge that full implementation could take another month.
The discrepancy raises questions about the timeline for a complete security overhaul of the Romo system. Furthermore, the blog post highlighted that the Romo already holds ETSI, EU, and UL certifications for security. Azdoufal's ability to access thousands of devices with relative ease, using what the original article described as "Claude Code," might lead consumers to question the practical efficacy of such certifications.
Implications and Future Commitments
Despite the ongoing work, DJI reiterated its commitment to enhancing device security. The company pledged to continue testing, patching, and submitting the Romo and its associated app to independent third-party security audits. In a move to foster better relations with the security community, DJI also announced its intent to "deepen our engagement with the security research community, and we will soon introduce new ways for researchers to partner and collaborate with us."
This incident underscores the complex balance between innovation in connected devices and ensuring robust user privacy and security. While the payment to Azdoufal signals a positive step towards recognizing ethical hacking, the ongoing work to fully patch all vulnerabilities and the mixed messaging surrounding their resolution highlight the challenges inherent in securing a vast network of smart home devices.
FAQ
Q: Who is Sammy Azdoufal?
A: Sammy Azdoufal is the security researcher who, while attempting to control his own DJI Romo robot vacuum, accidentally discovered a network of 7,000 accessible Romo devices, revealing significant security vulnerabilities.
Q: What was the primary vulnerability Azdoufal discovered?
A: Azdoufal's initial discovery was the ability to access a large network of Romo robovacs, including viewing live video streams without requiring a security PIN. A more severe vulnerability, not fully described publicly, is also being addressed.
Q: Has DJI fully resolved all identified security issues?
A: DJI states that the vulnerability allowing PIN-less video stream viewing was addressed by late February. For a more critical, undisclosed vulnerability, DJI is implementing an "entire system upgrade" expected to be fully deployed within one month. However, there are discrepancies between public blog posts and statements to The Verge regarding the timeline for complete resolution.
Related articles
Kratom Civil War Escalates as Health Secretary Targets 7-OH, MAHA
Health Secretary RFK Jr. is pushing to ban 7-OH, an active component of kratom, sparking a "civil war" among advocates. This move follows a previous successful fight against a DEA ban on kratom, highlighting ongoing regulatory challenges and divisions within the advocacy community.
The impossible dream of the universal remote: Logitech Harmony — Key
Tech veterans David Pierce, Nilay Patel, John Higgins, and Nest co-founder Matt Rogers revisit the legacy of the Logitech Harmony universal remote on The Verge’s “Version History” podcast. Despite being the market leader for years, the Harmony ultimately faded, highlighting the persistent challenge of unifying home entertainment control. Its story reveals how even a compelling product can struggle in an evolving tech landscape.
startups: Grassroots opposition blocked $130 billion in US data
Grassroots opposition groups successfully blocked or delayed 75 data center projects worth $130 billion across the US in Q1 2026, matching the total disruptions for all of 2025. Driven by concerns over electricity, water, and noise, the number of anti-data center groups has doubled to 833 nationwide, profoundly impacting the AI industry's expansion plans amid shifting public opinion and legislative action.
AI Agents: Tool Calling & Coordination Solved, Transport Still
The rapidly evolving landscape of AI agent communication is witnessing a familiar pattern: initial proliferation of protocols, followed by gradual consolidation. While significant progress has been made in standardizing
Anthropic's Model Suspension Ignites India's AI Sovereignty Debate
Anthropic's recent decision to suspend access to its newest AI models, Fable 5 and Mythos 5, for all foreign nationals following a U.S. government directive has sent ripples across the global technology industry. In
KPMG Withdraws AI Usage Report Citing 'Apparent Hallucinations
KPMG has pulled its report, "Redefining excellence in the age of agentic AI," after organizations cited within it denied the accuracy of its claims regarding their AI usage. Inaccuracies were attributed to AI hallucinations, implying KPMG used AI to write the report about AI. This follows a similar incident last month with EY.