DJI Pays $30K to Hacker Who Exposed 7,000 Robovac Flaws
▼ Summary
– A security researcher discovered a network of 7,000 remote-control DJI robot vacuums that could be accessed to view inside people’s homes.
– DJI is paying the researcher $30,000 for a discovery, though it has not publicly named him or specified which vulnerability the reward is for.
– The company has already patched an additional vulnerability that allowed video streams to be viewed without a security PIN.
– DJI states it is working on a more serious vulnerability and anticipates fully implementing system updates within a month.
– In a public blog post, DJI claims to have resolved the main issue and commits to engaging more with security researchers and third-party audits.
The discovery of a major security flaw in DJI’s Romo robot vacuum network has led to a significant payout and a renewed focus on device safety. A researcher, who initially sought to control his own unit with a PlayStation controller, uncovered a network of approximately 7,000 connected devices that could be accessed remotely. This exposure allowed potential viewing into private homes, highlighting a critical vulnerability in a popular consumer product. DJI has now confirmed a $30,000 reward to the unnamed security expert responsible for bringing these issues to light.
While the company has not specified which particular finding the payment covers, it acknowledges compensating a researcher for their contributions. DJI states it has already resolved one specific vulnerability that allowed video streams to be viewed without a required security PIN. A company spokesperson confirmed this patch was deployed by the end of February. Regarding a more severe vulnerability, details of which were withheld in prior reporting due to its sensitivity, DJI indicates a broader system upgrade is underway, with full implementation expected within a month.
In a public blog post addressing the incident, DJI emphasized its commitment to strengthening the Romo’s security. The post credits “two independent security researchers” for identifying the original problem, though it also maintains the company discovered the issue internally. DJI asserts that updates have been deployed to fully resolve the matter, yet separately communicated to reporters that the complete fix for all related vulnerabilities could take several more weeks.
The situation raises questions about product certifications, as DJI noted the Romo holds ETSI, EU, and UL security approvals. The fact that a single individual could access such an extensive network prompts scrutiny of the real-world effectiveness of these standards. In response, DJI pledges to continue testing, patching, and submitting both the Romo device and its accompanying application for independent third-party security audits. The company further promises to deepen its engagement with the security research community, announcing plans to introduce new avenues for collaboration and partnership.
(Source: The Verge)
