DJI Awards $30,000 to Researcher for Exposing Robot Vacuum Security Vulnerabilities
Drone manufacturer DJI has officially confirmed that it will pay $30,000 to an individual who uncovered significant security flaws in the company's robot vacuum cleaners. This compensation follows the accidental discovery of vulnerabilities that enabled remote access to approximately 7,000 connected DJI devices, sparking serious concerns about user privacy and device security.
Discovery of the Flaw and Its Implications
The issue emerged when Sammy Azdoufal, while experimenting with controlling a DJI robot vacuum using a PlayStation gamepad, inadvertently found he could connect to a vast network of devices. According to a report by The Verge, this revelation exposed vulnerabilities that potentially allowed unauthorized remote access to the vacuums' cameras and controls, creating risks of privacy invasion by enabling outsiders to peek into users' homes.
DJI stated that it had already begun addressing some of these vulnerabilities before the discovery was publicly demonstrated. The company has now affirmed its commitment to rewarding Azdoufal for reporting the issue as it continues to work on patching the remaining security gaps.
DJI's Response and Compensation Details
In an email shared with The Verge, DJI spokesperson Daisy Kong confirmed the $30,000 payment to Sammy Azdoufal for a single discovery, though the specific vulnerability tied to the reward was not detailed. While the company did not name Azdoufal directly, it acknowledged rewarding an unnamed security researcher for their contributions. DJI also noted that it has already resolved an additional vulnerability identified by Azdoufal, which allowed viewing a DJI Romo video stream without requiring a security PIN.
"We can confirm that the PIN code security observation was addressed by late February," Kong wrote in DJI's statement. The company is actively working on fixing other related issues, with Kong adding, "We have also started upgrading the entire system. This includes a series of updates, which we anticipate will be fully implemented within one month."
Steps Taken to Enhance Security
In a blog post, DJI outlined measures to strengthen the security of its DJI Romo robot vacuum. The company maintained that it had originally identified the issue while also recognizing that two independent security researchers had found the same problem. Updates have been deployed to resolve the vulnerabilities, but addressing all of them may take up to another month.
DJI highlighted that the Romo already holds security certifications from ETSI, the EU, and UL. The company plans to continue testing and patching the device and will submit both the Romo and its app for independent third-party security audits. Additionally, DJI expressed its dedication to engaging more deeply with the security research community, promising to introduce new collaboration opportunities soon.
This incident underscores the ongoing challenges in IoT device security and DJI's proactive approach to addressing vulnerabilities through researcher partnerships and system upgrades.
