Breakthroughs, discoveries, and DIY tips sent six days a week.
A software engineer’s earnest effort to steer his new DJIrobot vacuumwith a video game controller inadvertently granted him a sneak peak into thousands of people’s homes.
While building his own remote-control app, Sammy Azdoufal reportedly used an AI coding assistant to help reverse-engineer how the robot communicated with DJI’s remote cloud servers. But he soon discovered that the same credentials that allowed him to see and control his own device also provided access to live camera feeds, microphone audio, maps, and status data from nearly 7,000 other vacuums across 24 countries. The backend security bug effectively exposed an army of internet-connected robots that, in the wrong hands, could have turned into surveillance tools, all without their owners ever knowing.
Luckily, Azdoufal chose not to exploit that. Instead, heshared his findings with The Verge, which quickly contacted DJI to report the flaw. While DJI tellsPopular Sciencethe issue has been “resolved,” the dramatic episode underscores warnings from cybersecurity experts who have long-warned that internet-connected robots and other smart home devicespresent attractive targets for hackers.
As more households adopt home robots, (including newer,more interactive humanoid models) similar vulnerabilities could become harder to detect. AI-powered coding tools, which make it easier for people with less technical knowledge to exploit software flaws, potentially risk amplifying those worries even further.
I can confirm that@DJIGlobalhas finally fixed the HUGE vulnerability they had on their servers.This vulnerability was discovered by the very skillful@n0tsa, and he reported it to DJI.It allowed to take remote control (movements, microphone, camera) of over 10 000 robots…pic.twitter.com/j1UunMmNXX
The robot in question is theDJI Romo, an autonomous home vacuum that first launched in China last year and is currently expanding to other countries. It retails for around $2,000 and is roughly the size of a large terrier or a small fridge when docked at its base station. Like other robot vacuums, it’s equipped with a range of sensors that help it navigate its surroundings and detect obstacles. Users can schedule and control it via an app, but it is designed to spend most of its time cleaning and mopping autonomously.
In order for the Romo, or really any modern autonomous vacuum, to function it needs to constantly collect visual data from the building it is operating in. It also needs to understand specific details about what makes, say, a kitchen different from a bedroom, so it can distinguish between the two. Some of that sensor data is stored remotely on DJI’s servers rather than on the device itself. For Azdoufal’s DIY controller idea to work, he would need a way for his app to communicate with DJI’s servers and extract a security token that proves he is the owner of the robot.
Rather than just verifying a single token, the servers granted access for a small army of robots, essentially treating him as their respective owner. That slip-up meant Azdoufal could tap into their real-time camera feeds and activate their microphones. He also claims he could compile 2D floor plans of the homes the robots were operating in. A quick look at the robots’ IP addresses also revealed their approximate locations. None of this, Azdoufal insists, amounts to “hacking” on his part. He simply stumbled upon a major security issue.
“DJI identified a vulnerability affecting DJI Home through internal review in late January and initiated remediation immediately,” DJI toldPopular Science.“The issue was addressed through two updates, with an initial patch deployed on February 8 and a follow-up update completed on February 10. The fix was deployed automatically, and no user action is required.”
Source: Drudge Report
