Back
Technology

DJI Robot Vacuum Security Flaw Exposed, Affecting Thousands of Devices

Generated on: Last updated: 1 sources
View source

DJI Robot Vacuums and Power Stations Exposed in Major Security Flaw

A significant security vulnerability affecting DJI's robot vacuums and power stations has been uncovered by researcher Sammy Azdoufal. What began as an attempt to control a DJI Romo vacuum with a PS5 gamepad led to a shocking discovery: Azdoufal's remote control app could access data from a vast network of devices.

The vulnerability granted access to data from approximately 7,000 DJI robot vacuums and over 10,000 devices globally, including DJI Power portable power stations.

The Discovery: Unintended Access

Sammy Azdoufal initially aimed to enhance the control of his DJI Romo vacuum. During his experiments, he stumbled upon a critical flaw that exposed a massive amount of user data. This unintended access revealed a widespread vulnerability within DJI's ecosystem.

Vulnerability Details: What Was Exposed?

Azdoufal successfully demonstrated a range of remote control capabilities, extending far beyond his own device. He was able to:

  • Access live camera feeds.
  • Listen through device microphones.
  • Generate 2D floor plans.
  • Extract rough location data from various devices.

Crucially, this extensive access was achieved without hacking DJI's servers. Azdoufal claimed he extracted his own device's private token, which then granted him access to data from thousands of other devices through DJI's MQTT servers across US, China, and EU regions. He also reported being able to view his own DJI Romo's live video feed without needing its security PIN, highlighting a fundamental flaw in access control.

Azdoufal contended that while device-to-server communication used TLS encryption, application-layer data remained visible in cleartext for authenticated clients if topic-level access controls were inadequate.

DJI's Official Response and Remediation Efforts

DJI responded to the reports from Azdoufal and The Verge by initially restricting some access. The company later released a statement confirming it had identified a backend permission validation issue affecting MQTT-based communication in late January. DJI initiated remediation efforts, deploying two critical updates on February 8 and February 10.

The company confirmed that the issue created a theoretical potential for unauthorized access to live video but stated actual occurrences were rare. While DJI clarified that device-to-server communication used TLS encryption, Azdoufal's counter-contention about cleartext application-layer data for authenticated clients points to a deeper concern regarding topic-level access controls.

Broader Implications and Industry Context

This incident has raised significant concerns about DJI's security and data practices, especially given the company's ongoing challenges in the US market. The vulnerability underscores a recurring theme in the smart home industry, where similar security flaws have been reported in other popular robot vacuum brands.

Previous incidents involving Ecovacs, Dreame, and Narwal robot vacuums have allowed hackers to access camera feeds or control devices, indicating a systemic challenge in IoT security. Alarmingly, Azdoufal has indicated that some vulnerabilities he found remain unaddressed by DJI, suggesting that further risks may persist.