Indonesian Political, Business & Finance News

Spanish Programmer Accidentally Discovers Global DJI Robot Vacuum Vulnerability, Receives $30,000 Reward

| By Wahyunanda Kusuma Pertiwi | Source: KOMPAS Translated from Indonesian | Technology
Spanish Programmer Accidentally Discovers Global DJI Robot Vacuum Vulnerability, Receives $30,000 Reward
Image: KOMPAS

A Spanish programmer named Sammy Azdoufal has received a $30,000 USD reward (approximately 500 million rupiah) from technology company DJI.

The award was granted after Azdoufal inadvertently discovered a security vulnerability that enabled users to control approximately 7,000 DJI Romo robot vacuums worldwide.

The incident began when Azdoufal was experimenting with his own DJI Romo robot vacuum. He performed reverse engineering on the robot vacuum’s communication protocol using the AI coding assistant Claude Code. In doing so, he successfully controlled his newly purchased DJI Romo using a PlayStation 5 gamepad.

However, when the application he created began communicating with DJI’s server, responses came not only from his own device. According to a Wired report, approximately 7,000 robot vacuums in 24 countries worldwide also responded to his commands.

This vulnerability allowed Azdoufal to operate thousands of DJI Romo units remotely whilst also accessing the cameras installed on the robots. With this access, he could potentially view and listen to activities inside the homes of users he did not know. The access also enabled him to observe the robots’ room mapping processes and their creation of two-dimensional floor plans. He could also estimate device locations through connected IP addresses.

Despite this, Azdoufal emphasised that his discovery did not involve hacking DJI’s systems. He maintained that he only extracted authentication tokens from his own device.

“I did not break any rules, did not breach systems, did not hack, or conduct brute force attacks,” he stated.

However, when Azdoufal used these tokens, DJI’s server returned information from thousands of other devices.

DJI confirmed the award to security researchers without specifying it as Azdoufal’s finding. The China-based company also did not disclose the details of the discovered security flaw.

Notably, DJI has released a software update to patch the vulnerability. The company added that some additional vulnerabilities may require approximately one more month to fully address.

View JSON | Print