DJI will pay $30K to the man who accidentally hacked 7,000 Romo
DJI will pay security researcher Sammy Azdoufal $30,000 for discovering critical vulnerabilities in its Romo robot vacuums. Azdoufal accidentally accessed a network of 7,000 Romo devices, exposing privacy risks including PIN-less video access. While some issues are patched, a more severe vulnerability is still being addressed, with full system upgrades expected within a month.
DJI, the prominent drone manufacturer, has agreed to pay security researcher Sammy Azdoufal $30,000 for identifying critical vulnerabilities in its Romo robot vacuum cleaners. The payout follows Azdoufal's accidental discovery around Valentine's Day, where he gained access to a vast network of 7,000 remote-control Romo devices, exposing potential privacy risks by allowing unauthorized viewing into people’s homes. This development provides some clarity after initial uncertainty regarding DJI's response to the disclosure and its commitment to rewarding ethical hacking.
The Discovery and Initial Fallout
Azdoufal's journey began with a simple attempt to control his own DJI Romo robovac using a PlayStation gamepad. This innocuous experiment quickly escalated when he inadvertently stumbled upon an entire network of 7,000 Romo units, all seemingly accessible. His findings, later shared with The Verge, highlighted significant security gaps that could permit an outsider to "peek into other people’s homes" through the devices' cameras.
While DJI had reportedly begun addressing some security flaws even before Azdoufal's public disclosure, the extent of his access underscored the severity of the unpatched vulnerabilities. The situation drew comparisons to DJI's contentious interactions with security researcher Kevin Finisterre in 2017, casting doubt on whether Azdoufal would receive recognition or compensation for his work.
DJI's Response and the $30,000 Reward
Today, those questions have been partially answered. Azdoufal confirmed to The Verge that DJI would pay him $30,000, though the company did not specify which particular discovery the payment pertained to. DJI, while not publicly naming Azdoufal, confirmed it had "rewarded" an unnamed security researcher for their contributions.
The company also stated it has already tackled one of the major vulnerabilities Azdoufal identified: the ability for a user to view a Romo video stream without needing a security PIN. A statement from DJI spokesperson Daisy Kong noted, "We can confirm that the PIN code security observation was addressed by late February," indicating swift action on that specific flaw.
Addressing the Vulnerabilities: A Mixed Message
Concerns remain about an even more severe vulnerability, which The Verge initially deemed too sensitive to describe in its original report. DJI assured The Verge that this issue is also being actively addressed. "We have also started upgrading the entire system. This includes a series of updates, which we anticipate will be fully implemented within one month," DJI stated.
However, a public blog post published by DJI today regarding Romo security presented a slightly different picture. In the post, DJI claimed it discovered the original issue itself, while simultaneously crediting "two independent security researchers" for finding the same problem. The blog post also suggested a more immediate resolution, stating, "Updates have been deployed to fully resolve the issue," a claim that seemingly contradicts DJI's earlier projection to The Verge that full implementation could take another month.
The discrepancy raises questions about the timeline for a complete security overhaul of the Romo system. Furthermore, the blog post highlighted that the Romo already holds ETSI, EU, and UL certifications for security. Azdoufal's ability to access thousands of devices with relative ease, using what the original article described as "Claude Code," might lead consumers to question the practical efficacy of such certifications.
Implications and Future Commitments
Despite the ongoing work, DJI reiterated its commitment to enhancing device security. The company pledged to continue testing, patching, and submitting the Romo and its associated app to independent third-party security audits. In a move to foster better relations with the security community, DJI also announced its intent to "deepen our engagement with the security research community, and we will soon introduce new ways for researchers to partner and collaborate with us."
This incident underscores the complex balance between innovation in connected devices and ensuring robust user privacy and security. While the payment to Azdoufal signals a positive step towards recognizing ethical hacking, the ongoing work to fully patch all vulnerabilities and the mixed messaging surrounding their resolution highlight the challenges inherent in securing a vast network of smart home devices.
FAQ
Q: Who is Sammy Azdoufal?
A: Sammy Azdoufal is the security researcher who, while attempting to control his own DJI Romo robot vacuum, accidentally discovered a network of 7,000 accessible Romo devices, revealing significant security vulnerabilities.
Q: What was the primary vulnerability Azdoufal discovered?
A: Azdoufal's initial discovery was the ability to access a large network of Romo robovacs, including viewing live video streams without requiring a security PIN. A more severe vulnerability, not fully described publicly, is also being addressed.
Q: Has DJI fully resolved all identified security issues?
A: DJI states that the vulnerability allowing PIN-less video stream viewing was addressed by late February. For a more critical, undisclosed vulnerability, DJI is implementing an "entire system upgrade" expected to be fully deployed within one month. However, there are discrepancies between public blog posts and statements to The Verge regarding the timeline for complete resolution.
Related articles
Definity Embeds Agents in Spark Pipelines to Prevent AI System
Definity, a Chicago-based startup, secured $12M in Series A funding to advance its unique data pipeline reliability solution. By embedding agents directly within Spark pipelines, Definity proactively identifies and prevents failures, bad data, and inefficiencies during execution, crucial for the integrity of agentic AI systems.
Sniffies Secures $100M Match Group Investment for Sex-Positive Tech
Seattle’s Sniffies lands $100M investment from Match Group in major bet on sex-positive tech Seattle-based Sniffies, a prominent meetup platform for gay, bisexual, and sexually curious men, has secured a substantial
DJI Mic Mini 2 Review: Affordable, Colorful, and Capable Wireless
Not long ago, capturing high-quality wireless audio meant investing in expensive, bulky equipment. DJI's original Mic Mini disrupted this landscape by combining a microphone and transmitter into a tiny, affordable
Ubuntu Linux to Integrate AI Features Through 2026
Canonical has revealed its strategy to integrate AI features into Ubuntu Linux throughout 2026. The plan includes enhancing existing OS functions with background AI models and introducing new AI-native tools, such as advanced accessibility features and agentic AI. Canonical emphasizes model transparency and local inference, aiming to make Linux more accessible without transforming Ubuntu into an "AI product."
DeepMind’s David Silver Just Raised $1.1B for AI That Learns Without
DeepMind veteran David Silver has secured an unprecedented $1.1 billion in funding for his new British AI lab, Ineffable Intelligence, at a $5.1 billion valuation. The company aims to build a "superlearner" AI that acquires knowledge and skills purely through reinforcement learning, without relying on human data, a radical departure from current large language models.
Philips Hue Sync Box 8K Slashed by 30% in 'Bright Days' Sale
Smart home enthusiasts and gamers can rejoice as the Philips Hue Play HDMI Sync Box 8K is now available at a significant 30 percent discount, bringing its price down to $269.49. This substantial offer, part of Philips