A software engineer, Sammy Azdoufal, discovered a critical vulnerability in DJI's cloud backend while attempting to control his robot vacuum with a PS5 controller. The flaw granted him unauthorized access to approximately 7,000 robot vacuums across 24 countries, including their live camera feeds, audio, and home floor plans.
DJI has paid the researcher a $30,000 bounty for the discovery, though the company states it had already begun fixing related weaknesses before his report. The incident highlights significant security concerns regarding IoT devices and cloud infrastructure, as well as questions about DJI's vulnerability disclosure and patching timeline.
The main topics covered are the security vulnerability in DJI's cloud system, the unauthorized access to a fleet of robot vacuums, the bug bounty reward, and the timeline and disputes around the vulnerability's discovery and patching.
Engineer receives $30,000 for exposing a vulnerability affecting 7,000 robot vacuum cleaners — tinkerer just wanted to drive his robot vacuum with a PS5 controller
$4.2 per unit? Or something to say about the reputation?
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
You are now subscribed
Your newsletter sign-up was successful
DJI will pay $30,000 to a man who discovered a critical vulnerability in the company's cloud backend that, among other things, granted him access to a fleet of some 7,000 robot vacuum cleaners and gave him a glimpse into other people's homes, reports The Verge. The company reportedly sent Sammy Azdoufal, a software engineer who wanted to drive his DJI Romo robot vacuum with a PS5 controller, an email notifying him of the reward, but did not elaborate on the reasons behind it.
DJI insists that it had already started fixing several weaknesses in its backend systems before Azdoufal demonstrated the scale of access he had uncovered, yet questions remain about the reward and patching. According to an email he shared with The Verge, DJI agreed to pay him $30,000 for one of his discoveries, though the company did not clarify which specific discovery is eligible for the reward. DJI confirmed that it had compensated an unnamed researcher, according to The Verge. Yet, the company's past dispute with researcher Kevin Finisterre in 2017 makes it unclear whether Azdoufal would be rewarded at all and how quickly the DJI backend holes will be patched.
It all started earlier this year, when Sammy Azdoufal wanted to control his robotic hoover with something more convenient than a smartphone screen. To control his DJI Romo using his PS5 gamepad, Azdoufal had to develop a custom controller app that used his security token to verify to his vacuum cleaner that he was the owner of the device. To extract that token, he needed to work with DJI's cloud servers to reverse-engineer the authorization process, which he successfully did using the assistance of an AI coding tool. As it turned out, instead of verifying a single robot, DJI’s backend granted broad access rights to some 7,000 robot vacuum cleaners located in 24 countries, along with their sensor and data stored in the cloud.
The DJI Romo is an advanced robot vacuum cleaner that is not only equipped with the typical set of sensors found in any automatic hoover, but also with a camera and a microphone. As a result of the authorization flaw, Azdoufal gained access to 7,000 live camera feeds with audio and could even compile 2D floor plans of homes operated by other DJI Romos. As the DJI backend was also generous enough, it also provided the software expert with the IP addresses of these homes, enabling him to guess their geographical locations.
Azdoufal insists he did not 'hack' anything as he simply encountered a flawed backend service that failed to properly limit device access. To his credit, Sammy Azdoufal chose to disclose the information rather than abuse it. Azdoufal alerted The Verge, which contacted DJI, which fixed the problem by mid-February.
DJI then told Popular Science that it discovered the vulnerability during an internal review (so no credit was given to Sammy Azdoufal) in late January and quickly fixed it. Yet, according to the latest story by The Verge, the company now also credits two independent researchers with identifying the same problem, but does not elaborate.
Anyhow, according to media reports, the initial patch was deployed automatically on February 8, followed by a second update on February 10, which precedes The Verge's original story on February 14 but clearly follows the discovery of Sammy Azdoufal allegedly made earlier than February 8. DJI also said that no user action was required and added that additional security enhancements were underway without disclosing any details.
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
Follow Tom's Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.
Anton Shilov is a contributing writer at Tom’s Hardware. Over the past couple of decades, he has covered everything from CPUs and GPUs to supercomputers and from modern process technologies and latest fab tools to high-tech industry trends.
Meridiano
