Indonesian Political, Business & Finance News

DJI Awards US$30,000 to Security Researcher for Identifying Critical Vulnerability in Robo Vacuum Infrastructure

| By Gana Buana | Source: MEDIA_INDONESIA Translated from Indonesian | Technology
DJI Awards US$30,000 to Security Researcher for Identifying Critical Vulnerability in Robo Vacuum Infrastructure
Image: MEDIA_INDONESIA

Chinese technology giant DJI has officially awarded US$30,000, equivalent to approximately 509 million rupiah, to Sammy Azdoufal, an independent security researcher. This payment was made following Azdoufal’s successful identification of a critical vulnerability in DJI’s cloud infrastructure that threatened the privacy of thousands of DJI Robo vacuum users worldwide.

The discovery originated from Azdoufal’s personal experimentation attempting to integrate a PlayStation 5 (PS5) controller to operate his vacuum robot. During reverse engineering to extract device authorisation tokens, Azdoufal uncovered a startling fact: DJI’s backend system provided excessive and inappropriate access permissions.

This security flaw enabled remote access to sensor data and camera feeds from approximately 7,000 robot units distributed across 24 countries. Without remediation, the privacy of homes belonging to thousands of users risked exposure to unscrupulous actors.

DJI’s decision to award this substantial bounty is regarded as a turning point in the company’s relationship with the cybersecurity community. Notably, in 2017, DJI faced severe criticism following a legal dispute with researcher Kevin Finisterre regarding a similar vulnerability report.

With ambitious expansion into the smart home robotics sector, DJI now appears more collaborative. The company stated it implemented technical improvements to its backend system immediately upon receiving Azdoufal’s report, before the vulnerability could be exploited externally.

The DJI Robo case serves as a stark reminder to the technology industry about the risks posed by Internet of Things (IoT) devices. Devices equipped with cameras and microphones in private spaces require multilayered security standards.

DJI emphasised that user data security remains its paramount priority. Security experts recommend that smart vacuum robot users consistently update firmware to the latest version to ensure security patches are properly installed.

To date, DJI has stated there is no evidence the vulnerability was exploited by malicious actors before being patched. The company recommends users keep the DJI application on their smartphones updated to the latest version and regularly update firmware on their robot vacuum devices.

View JSON | Print