3 Minutes
It started with something simple: a man, a PlayStation controller, and a robot vacuum. What happened next turned into one of the more unusual cybersecurity stories in the smart home world.
While experimenting with ways to control his DJI Romo robot vacuum using a gamepad, security enthusiast Sammy Azdoufal stumbled onto something far bigger than expected. Instead of just steering his own device, he uncovered access to a massive network of roughly 7,000 internet‑connected DJI robot vacuums. In theory, the system could allow someone to remotely view video feeds captured by those devices inside private homes.
The discovery quickly caught attention across the tech industry. Smart home devices already sit at the center of personal spaces, and the idea that thousands of them might be reachable through a security gap raised serious questions about connected hardware safety.
A Bug Worth $30,000
DJI has now confirmed that Azdoufal will receive a $30,000 reward for one of the vulnerabilities he reported. The company did not specify exactly which issue earned the payout, and it has not publicly identified the researcher by name. However, Azdoufal shared an email indicating that DJI recognized his work and issued the reward through its security program.
According to DJI spokesperson Daisy Kong, one of the problems Azdoufal highlighted involved accessing a Romo robot’s video stream without entering the required security PIN. The company says that particular flaw was fixed by late February.
That wasn’t the only concern. Some of the vulnerabilities uncovered during the investigation were serious enough that journalists initially chose not to publish full technical details, fearing they could be exploited before fixes were available. DJI now says broader upgrades to the Romo system are underway, with a series of updates expected to roll out over the course of roughly a month.
In parallel with the fixes, the company published a blog post outlining changes to the platform’s security architecture. DJI says updates have been deployed to resolve the primary issue and that additional improvements are still being implemented across the system.
The blog also notes that the Romo platform already carries security certifications from organizations including ETSI, the European Union, and UL. For some observers, that claim raises an uncomfortable question: if a single independent researcher experimenting with code could access thousands of devices, how reliable are those certification processes when it comes to real‑world vulnerabilities?
DJI says the incident reinforces the importance of outside scrutiny. The company plans to continue security testing and has committed to submitting both the Romo hardware and its companion app to additional independent third‑party audits.
More notably, the company signaled a shift in how it works with the cybersecurity community. DJI says it intends to deepen collaboration with researchers and introduce new ways for independent experts to report findings and work alongside the company.
For Azdoufal, the episode is a reminder of how many surprises still lurk inside everyday connected devices. A weekend experiment with a game controller ended up revealing weaknesses across thousands of smart home machines — and earned him a $30,000 bug bounty along the way.
Source: theverge
Leave a Comment