7,000 DJI Robot Vacuums Hacked in Remote Camera Access
▼ Summary
– A man created an app to control his DJI Romo vacuum with a PS5 controller, which inadvertently gave him remote access to about 7,000 units worldwide.
– Through this access, he could view live camera feeds, listen in, and even locate the approximate position of individual robots in people’s homes.
– He achieved this access without hacking, simply by using a private token from his own device, which DJI’s servers then granted global privileges.
– DJI claimed to have fixed the security vulnerabilities, but a live demonstration proved the flaws were still active at the time of reporting.
– This incident highlights serious security vulnerabilities in home tech, where camera data expected to be protected was broadly accessible.
A recent incident involving a popular smart home device has raised serious questions about digital privacy and security. A user attempting to control his DJI Romo robot vacuum with a PlayStation 5 controller unintentionally discovered he could access thousands of other units globally. This allowed him to view live camera feeds from inside strangers’ homes, highlighting a significant lapse in the device’s security protocols.
The individual, Sammy Azdoufal, developed a custom application to interface his PS5 controller with the vacuum. The Romo, which launched last year, incorporates advanced drone technology like obstacle detection and specialized vision sensors. By connecting through DJI’s own servers, Azdoufal’s app was granted sweeping permissions far beyond its intended use. He found he could not only see and hear through the vacuums’ cameras but also use a robot’s IP address to pinpoint its general location.
In a demonstration for reporters, Azdoufal accessed a specific unit owned by a journalist. Using the device’s serial number, he retrieved an accurate floor plan of the apartment and streamed a live video feed directly from the vacuum. The app also reportedly connected to DJI’s portable battery stations, broadening the potential scope of the issue.
Azdoufal maintains he did not hack the system or bypass any security measures. He simply used a private token from his personal Romo, and DJI’s servers inexplicably granted him administrative-level access to nearly all connected devices, including those on pre-production servers. This suggests a fundamental flaw in how the company manages user authentication and data segregation.
DJI stated it had addressed these security vulnerabilities after being notified, but the live demonstration proved the fixes were incomplete. While patching such flaws can be technically complex, the fact that this level of access was ever possible is deeply troubling for consumers. People who install internet-connected cameras in their private spaces rightly expect their data to be encrypted and secure during transmission and while stored on company servers.
This event is a stark reminder that smart home devices can pose unforeseen risks. DJI has indicated a full resolution is still weeks away, with some specific vulnerabilities being withheld from public disclosure until repairs are finalized. It underscores the critical need for manufacturers to prioritize robust security frameworks from the initial design phase to protect user privacy.
(Source: PetaPixel)
