An Accidental Discovery With Massive Implications
What began as a hobbyist project to steer a robot vacuum with a PlayStation gamepad has culminated in a $30,000 bug bounty from DJI, one of the world's largest consumer drone and robotics manufacturers. Sammy Azdoufal, the man behind the discovery, found himself with access to an entire network of approximately 7,000 DJI Romo robot vacuums — complete with the ability to peer into strangers' homes through their onboard cameras.
The vulnerability, first reported by The Verge on Valentine's Day, sent shockwaves through the IoT security community. Azdoufal had connected to an unsecured MQTT messaging broker that DJI's vacuums used for communication, giving him remote control over thousands of devices worldwide. The implications were staggering: a single curious tinkerer had inadvertently demonstrated how an entire fleet of internet-connected home devices could be commandeered.
DJI's Response Marks a Turning Point
The $30,000 payment represents a significant shift in DJI's approach to security researchers. The company has a complicated history with vulnerability disclosure. In 2017, security researcher Kevin Finisterre had a notably contentious experience with DJI's bug bounty program, raising questions about whether the company genuinely welcomed outside security scrutiny.
DJI had already begun addressing some of the vulnerabilities before Azdoufal's full disclosure to The Verge, but the scope of access he demonstrated accelerated the patching process considerably. The company has since secured the MQTT broker, implemented additional authentication layers, and rolled out firmware updates to the affected Romo vacuum fleet.
