DJI Addresses Critical Security Flaws in Robot Vacuums and Power Stations
DJI has responded to the discovery of security vulnerabilities in its robot vacuums and portable power stations, which allowed a security researcher to access data from thousands of devices. The company has since deployed updates to address some of the identified issues and compensated researcher Sammy Azdoufal $30,000 for his discoveries. The vulnerabilities allowed potential access to live camera feeds, microphone audio, and device control.
Discovery of Vulnerabilities
Security researcher Sammy Azdoufal identified a significant security vulnerability in DJI's robot vacuums, specifically the DJI Romo model, and its DJI Power portable power stations. Azdoufal's initial attempt to control his DJI Romo vacuum with a PS5 gamepad unexpectedly led to a much broader discovery. His remote control application gained access to data from an estimated 7,000 DJI robot vacuums and over 10,000 devices globally.
Details of Access
Azdoufal reported that this extensive access was achieved without compromising DJI's central servers. He stated that by extracting his own device's private token, he gained unauthorized access to data from thousands of other devices via DJI's MQTT servers located in the US, China, and EU regions.
Capabilities demonstrated included remote control of devices, access to live camera feeds, listening through microphones, generation of 2D floor plans, and acquisition of rough location data from various devices.
Azdoufal also reported being able to view his own DJI Romo's live video feed without requiring its security PIN. While DJI stated that device-to-server communication utilized TLS encryption, Azdoufal contended that application-layer data remained visible in cleartext for authenticated clients if topic-level access controls were insufficient.
DJI's Response and Remediation
Upon being informed by Azdoufal and The Verge, DJI initially restricted some access to mitigate the immediate threat. The company later confirmed that it had identified a backend permission validation issue affecting MQTT-based communication in late January.
Remediation efforts included two updates deployed on February 8 and February 10. DJI stated that while the issue created a theoretical potential for unauthorized access to live video, actual occurrences were rare.
DJI also announced that an additional vulnerability, which allowed viewing of a DJI Romo video stream without a security PIN, was addressed by late February. For a more severe vulnerability that has not been publicly detailed, DJI indicated that system upgrades are ongoing, with full implementation anticipated within one month.
In a public blog post outlining efforts to enhance Romo's security, DJI stated it had discovered the original issue internally while also crediting "two independent security researchers" for identifying the same problem. The company initially suggested all issues were resolved but later confirmed to The Verge that a full resolution for all vulnerabilities could take up to another month.
Compensation and Future Actions
DJI has compensated Sammy Azdoufal $30,000 for his vulnerability discoveries. While DJI confirmed rewarding an unnamed security researcher, it did not specify which discovery the payment was for.
DJI's blog post mentioned that the Romo has ETSI, EU, and UL security certifications, underscoring its commitment to standards. The company has also committed to increasing engagement with the security research community, with new collaboration methods planned for future introduction, and intends to continue independent third-party security audits. However, Azdoufal has indicated that some vulnerabilities he found remain unaddressed by DJI.
Broader Context
This incident has prompted discussions regarding DJI's security and data practices within the smart home industry. Similar security flaws have been reported in other smart home devices, including robot vacuums from brands such as Ecovacs, Dreame, and Narwal, which have previously allowed unauthorized access to camera feeds or device control. This highlights a recurring challenge in securing connected consumer devices.