DJI Robovac Security Flaw Exposed Thousands to Remote Access
▼ Summary
– A security researcher accidentally gained unauthorized access to thousands of DJI robot vacuums and power stations worldwide by using his own device’s authentication token.
– This access allowed him to remotely view live camera feeds, see floor plans, and monitor device statuses without hacking DJI’s servers, due to a backend permission validation issue.
– DJI initially claimed the vulnerability was fixed, but the researcher demonstrated it was still active, leading to a full patch only after the issue was publicly confirmed.
– The incident reveals serious security flaws in DJI’s data handling, raising concerns about user privacy and justifying existing geopolitical fears that have led to US restrictions on the company.
– Despite the patch, the researcher states that other vulnerabilities remain, including the ability to bypass a device’s security PIN to view its camera feed.
A significant security vulnerability in DJI’s Romo robot vacuum recently exposed thousands of devices to potential remote access. What began as a personal project to control a vacuum with a gamepad inadvertently revealed a widespread flaw, allowing a single user to see and interact with approximately 7,000 devices globally. This incident highlights critical concerns about data privacy and device security in the rapidly expanding smart home ecosystem.
Sammy Azdoufal simply wanted to use a PlayStation 5 controller to operate his new DJI Romo. However, when his custom application communicated with DJI’s servers, it didn’t just connect to his own device. He found himself with unprecedented access to a global network of robot vacuums. In a live demonstration, he watched as thousands of devices appeared on a world map, each transmitting detailed data packets every few seconds. This information included serial numbers, cleaning locations, battery levels, and even the floor plans of homes.
The access was shockingly comprehensive. Using only a vacuum’s serial number, Azdoufal could pinpoint its approximate location, see which room it was cleaning, and monitor its battery status. He demonstrated the ability to pull live camera feeds from devices, completely bypassing security PINs. At the peak of his access, his system had cataloged data from over 10,000 DJI devices, including both Romo vacuums and the company’s Power portable stations, spread across two dozen countries.
DJI has since taken action to close this security gap. After being notified by Azdoufal and journalists, the company deployed patches that eventually blocked this particular method of access. By the following morning, the scanner could no longer connect to any devices. The company attributed the issue to a “backend permission validation problem” with its MQTT communication servers, stating that fixes were automatically deployed and no user action was required.
Nevertheless, the episode raises profound questions. If a hobbyist accidentally gained this level of control, what could a malicious actor accomplish? The fact that live camera and microphone feeds were accessible is particularly alarming for a device designed to roam inside private homes. Azdoufal himself questioned the necessity of a microphone on a vacuum cleaner, calling the feature “weird.”
DJI’s initial response claimed the vulnerability was resolved prior to public disclosure, a statement contradicted by the ongoing access demonstrated hours later. The company later clarified that remediation occurred in two stages, with a second patch required to fully secure all service nodes. While DJI asserts that device-to-server communication was always encrypted using TLS, experts point out that encryption alone doesn’t protect data if server permissions are improperly configured.
This is not an isolated problem in the smart home industry. Recent years have seen similar vulnerabilities in products from other manufacturers, where hackers could hijack devices to harass people or spy through cameras. The DJI incident will likely intensify scrutiny, especially given the existing geopolitical tensions surrounding the Chinese technology giant’s access to data.
Azdoufal, who works in AI strategy, maintains he did not hack any systems. He claims he merely extracted the authentication token from his own device and discovered the servers provided data from countless others. Frustrated by automated responses from the company, he chose to publicize his findings to force a quicker resolution, prioritizing a fix over formal bug bounty protocols.
Despite the patches, Azdoufal states that not all vulnerabilities have been addressed. One remaining flaw allows owners to view their own vacuum’s camera stream without entering a PIN. He and other security researchers argue that storing data on U.S. servers offers little protection if access controls within those servers are weak, a point underscored by his ability to see devices worldwide from his home in Barcelona.
On a lighter note, Azdoufal did achieve his original goal. He can now successfully pilot his DJI Romo using a PlayStation or Xbox gamepad. However, the path to that fun feature uncovered a serious lapse in security that left thousands of households potentially exposed, serving as a stark reminder of the privacy trade-offs inherent in connected devices.
(Source: The Verge)
