DJI will pay $30K to the man who accidentally hacked 7,000 Romo robovacs
On Valentine’s Day, a remarkable story emerged that quickly attracted global attention: a man, attempting to control his DJI robot vacuum with a PlayStation controller, inadvertently uncovered a vast network of 7,000 remotely accessible DJI robots, providing a disturbing window into people’s private homes.
DJI has now agreed to pay $30,000 to this individual, Sammy Azdoufal, for revealing the security flaw. Though the company had already begun addressing some related vulnerabilities, it was uncertain whether Azdoufal would receive compensation for his findings, especially considering DJI’s previous interactions with other security researchers. Furthermore, doubts lingered about how promptly DJI would fix the additional risks Azdoufal exposed.
Recent developments offer more clarity. Azdoufal has shared an email indicating he will receive $30,000 for a particular discovery, though neither DJI nor Azdoufal have specified which issue the reward pertains to. DJI has acknowledged “rewarding” an unnamed security researcher and confirmed resolving one of the vulnerabilities Azdoufal identified—one that allowed unauthorized viewing of a DJI Romo video stream without a security PIN, a fix implemented by late February, according to DJI spokesperson Daisy Kong.
Regarding a more severe vulnerability initially withheld from public disclosure, DJI confirmed that an extensive system upgrade is underway. This set of improvements is expected to be fully deployed within approximately one month. Moreover, DJI published a blog post emphasizing their efforts to enhance the DJI Romo’s security and highlighting that while the company claims to have discovered the primary issue internally, it also credits two independent security researchers with uncovering the same problem.
The blog suggests that updates have resolved the Romo’s security issue, yet DJI acknowledges the complexity of the situation and the potential time required for comprehensive remediation. Additionally, DJI notes that the Romo holds ETSI, EU, and UL security certifications, a statement that may raise questions about the efficacy of such certifications given the ease with which one person could access a widespread network of robotic devices.
Looking ahead, DJI asserts its commitment to ongoing testing, patching, and subjecting its products and applications to independent third-party security audits. Furthermore, the company intends to deepen collaboration with the security research community, promising new initiatives to foster partnerships and engagement with researchers in the near future.
