A software engineer who wanted to control his robot vacuum with a PS5 controller discovered a critical vulnerability in DJI's cloud backend, gaining access to 7,000 live camera feeds and home floor plans before receiving a $30,000 reward for responsible disclosure.
A software engineer's experiment to control his robot vacuum with a PlayStation 5 controller led to the discovery of a critical vulnerability affecting thousands of DJI robot vacuum cleaners, exposing live camera feeds and home layouts to unauthorized access.
Discovery Through Experimentation
Sammy Azdoufal, a software engineer, initially set out to modify his DJI Romo robot vacuum's functionality by enabling PS5 controller operation. During this tinkering process, he encountered a significant authorization flaw in DJI's cloud backend infrastructure that would prove far more consequential than his original goal.
The vulnerability stemmed from inadequate device access controls within DJI's backend services. Rather than properly limiting access to authorized devices only, the system allowed Azdoufal to access a fleet of approximately 7,000 robot vacuum cleaners operated by other users.
Scope of the Security Breach
The exposed devices were not ordinary robot vacuums. The DJI Romo model incorporates advanced features including a camera and microphone, making it capable of capturing both visual and audio data from users' homes. Through the vulnerability, Azdoufal gained access to live camera feeds with accompanying audio from thousands of households.
Beyond simple video access, the flawed backend provided additional sensitive information. The system generated 2D floor plans of homes operated by the affected DJI Romos, offering detailed layouts of private living spaces. Furthermore, the backend service exposed IP addresses associated with these devices, enabling Azdoufal to approximate the geographical locations of the affected homes.
Responsible Disclosure Process
Despite having access to what could be considered a massive surveillance network, Azdoufal chose responsible disclosure over exploitation. He did not attempt to hack into the system through sophisticated means but rather encountered the vulnerability through normal interaction with the flawed backend service.
Azdoufal initially alerted The Verge about his discovery. The publication contacted DJI, which responded by deploying an automatic patch on February 8, followed by a second update on February 10. This timeline indicates that DJI acted on the reported vulnerability before the original story's publication date of February 14.
Company Response and Conflicting Accounts
The aftermath of the discovery revealed conflicting narratives about the vulnerability's identification and resolution. DJI initially informed Popular Science that it had discovered the vulnerability during an internal review in late January and fixed it without crediting Azdoufal for his role in the discovery process.
However, subsequent reporting by The Verge indicated that DJI later acknowledged two independent researchers, including Azdoufal, as having identified the same problem. The company did not provide elaboration on the specific contributions of each party or the circumstances surrounding the multiple discoveries.
DJI stated that no user action was required to receive the security updates and mentioned that additional security enhancements were underway, though specific details about these improvements were not disclosed to the public.
Financial Reward and Recognition
Following the resolution of the vulnerability, DJI sent Azdoufal an email notifying him of a $30,000 reward for his discovery. The company did not provide detailed explanations for the compensation amount or the specific reasons behind the reward, though it likely reflects the severity and scope of the vulnerability he uncovered.
Technical Implications
The vulnerability highlights significant security concerns in Internet of Things (IoT) devices, particularly those equipped with cameras and microphones that operate within private spaces. The DJI Romo's advanced sensor suite, while providing enhanced functionality for users, also created potential for privacy invasion when combined with inadequate backend security measures.
The incident demonstrates how seemingly minor experimentation or customization attempts can uncover major security flaws. Azdoufal's initial goal of PS5 controller integration led to the discovery of a vulnerability that potentially affected thousands of households, exposing them to unauthorized surveillance and data collection.
Industry Context
This case adds to the growing list of IoT security incidents that have raised concerns about the privacy implications of smart home devices. As manufacturers continue to add cameras, microphones, and internet connectivity to household appliances, the potential attack surface for privacy violations expands correspondingly.
The DJI Romo incident serves as a reminder that robust security measures must evolve alongside technological capabilities. Features that enhance user convenience and device functionality must be balanced against comprehensive security protocols that prevent unauthorized access to sensitive data and live feeds from private spaces.
Moving Forward
The resolution of this vulnerability and DJI's subsequent security enhancements represent steps toward improved IoT device security. However, the incident underscores the ongoing challenge of ensuring that connected devices maintain appropriate security standards, particularly when they have the capability to capture and transmit sensitive information from users' homes.
For consumers, this case highlights the importance of understanding the capabilities and potential vulnerabilities of smart home devices before installation. While features like remote monitoring and advanced sensors provide convenience, they also introduce privacy considerations that must be carefully weighed against the benefits of connectivity and automation.
The $30,000 reward to Azdoufal not only compensates his discovery but also serves as an incentive for security researchers to continue identifying and reporting vulnerabilities, ultimately contributing to the improvement of device security across the industry.
Comments
Please log in or register to join the discussion