DJI will pay $30K to the man who accidentally hacked 7,000 Romo
DJI will pay security researcher Sammy Azdoufal $30,000 for discovering critical vulnerabilities in its Romo robot vacuums. Azdoufal accidentally accessed a network of 7,000 Romo devices, exposing privacy risks including PIN-less video access. While some issues are patched, a more severe vulnerability is still being addressed, with full system upgrades expected within a month.
DJI, the prominent drone manufacturer, has agreed to pay security researcher Sammy Azdoufal $30,000 for identifying critical vulnerabilities in its Romo robot vacuum cleaners. The payout follows Azdoufal's accidental discovery around Valentine's Day, where he gained access to a vast network of 7,000 remote-control Romo devices, exposing potential privacy risks by allowing unauthorized viewing into people’s homes. This development provides some clarity after initial uncertainty regarding DJI's response to the disclosure and its commitment to rewarding ethical hacking.
The Discovery and Initial Fallout
Azdoufal's journey began with a simple attempt to control his own DJI Romo robovac using a PlayStation gamepad. This innocuous experiment quickly escalated when he inadvertently stumbled upon an entire network of 7,000 Romo units, all seemingly accessible. His findings, later shared with The Verge, highlighted significant security gaps that could permit an outsider to "peek into other people’s homes" through the devices' cameras.
While DJI had reportedly begun addressing some security flaws even before Azdoufal's public disclosure, the extent of his access underscored the severity of the unpatched vulnerabilities. The situation drew comparisons to DJI's contentious interactions with security researcher Kevin Finisterre in 2017, casting doubt on whether Azdoufal would receive recognition or compensation for his work.
DJI's Response and the $30,000 Reward
Today, those questions have been partially answered. Azdoufal confirmed to The Verge that DJI would pay him $30,000, though the company did not specify which particular discovery the payment pertained to. DJI, while not publicly naming Azdoufal, confirmed it had "rewarded" an unnamed security researcher for their contributions.
The company also stated it has already tackled one of the major vulnerabilities Azdoufal identified: the ability for a user to view a Romo video stream without needing a security PIN. A statement from DJI spokesperson Daisy Kong noted, "We can confirm that the PIN code security observation was addressed by late February," indicating swift action on that specific flaw.
Addressing the Vulnerabilities: A Mixed Message
Concerns remain about an even more severe vulnerability, which The Verge initially deemed too sensitive to describe in its original report. DJI assured The Verge that this issue is also being actively addressed. "We have also started upgrading the entire system. This includes a series of updates, which we anticipate will be fully implemented within one month," DJI stated.
However, a public blog post published by DJI today regarding Romo security presented a slightly different picture. In the post, DJI claimed it discovered the original issue itself, while simultaneously crediting "two independent security researchers" for finding the same problem. The blog post also suggested a more immediate resolution, stating, "Updates have been deployed to fully resolve the issue," a claim that seemingly contradicts DJI's earlier projection to The Verge that full implementation could take another month.
The discrepancy raises questions about the timeline for a complete security overhaul of the Romo system. Furthermore, the blog post highlighted that the Romo already holds ETSI, EU, and UL certifications for security. Azdoufal's ability to access thousands of devices with relative ease, using what the original article described as "Claude Code," might lead consumers to question the practical efficacy of such certifications.
Implications and Future Commitments
Despite the ongoing work, DJI reiterated its commitment to enhancing device security. The company pledged to continue testing, patching, and submitting the Romo and its associated app to independent third-party security audits. In a move to foster better relations with the security community, DJI also announced its intent to "deepen our engagement with the security research community, and we will soon introduce new ways for researchers to partner and collaborate with us."
This incident underscores the complex balance between innovation in connected devices and ensuring robust user privacy and security. While the payment to Azdoufal signals a positive step towards recognizing ethical hacking, the ongoing work to fully patch all vulnerabilities and the mixed messaging surrounding their resolution highlight the challenges inherent in securing a vast network of smart home devices.
FAQ
Q: Who is Sammy Azdoufal?
A: Sammy Azdoufal is the security researcher who, while attempting to control his own DJI Romo robot vacuum, accidentally discovered a network of 7,000 accessible Romo devices, revealing significant security vulnerabilities.
Q: What was the primary vulnerability Azdoufal discovered?
A: Azdoufal's initial discovery was the ability to access a large network of Romo robovacs, including viewing live video streams without requiring a security PIN. A more severe vulnerability, not fully described publicly, is also being addressed.
Q: Has DJI fully resolved all identified security issues?
A: DJI states that the vulnerability allowing PIN-less video stream viewing was addressed by late February. For a more critical, undisclosed vulnerability, DJI is implementing an "entire system upgrade" expected to be fully deployed within one month. However, there are discrepancies between public blog posts and statements to The Verge regarding the timeline for complete resolution.
Related articles
US Army inks massive $20B contract with defense tech firm Anduril
The U.S. Army announced late Friday a landmark 10-year contract with defense technology startup Anduril, a deal that could be valued at up to $20 billion. This significant agreement is set to streamline the Army's
Glassworm Attack: Invisible Code, Visible Threat
Glassworm attack review: Highly sophisticated invisible code injection using Unicode characters to compromise GitHub, npm, and VS Code, stealing credentials and secrets with blockchain C2. Detection requires specialized automated tooling.
How to Use ChatGPT App Integrations - Supercharge Your Productivity
Discover a new way to get things done by connecting your favorite apps directly to ChatGPT. This guide will walk you through setting up and using integrations like DoorDash, Spotify, Uber, and more, transforming how you
Model Context Protocol Reshapes AI Agent Communication in Agentic Era
The Model Context Protocol (MCP), an open-source standard launched by Anthropic in late 2024, is rapidly gaining traction as the core communication method for AI agents. It provides a flexible framework for agents to interact with external data and users, distinct from traditional APIs that are designed for deterministic developer-driven tasks. With major adoption by OpenAI and Google, MCP is shaping the future of autonomous AI workflows.
Google's Maps Update Puts Gemini in the Passenger Seat
Google Maps introduces its biggest update in a decade with "Ask Maps," a Gemini-powered conversational AI feature, and "Immersive Navigation," which delivers photorealistic 3D turn-by-turn directions. This overhaul allows users to pose complex queries and experience a more visually intuitive journey, rolling out initially in the US and India.
Uber Founder Travis Kalanick Reveals Stealth Robotics Venture, Atoms
Uber founder Travis Kalanick has officially launched Atoms, a robotics company that operated in stealth for eight years. Atoms, formerly City Storage Systems and known for CloudKitchens, focuses on "gainfully employed robots"—specialized, wheeled industrial machines for sectors like food service and mining, built on a standardized mobility platform. Kalanick aims to digitize the physical world at an industrial scale.