Engineer receives $30,000 for exposing a vulnerability affecting 7,000 robot vacuum cleaners — tinkerer just wanted to drive his robot vacuum with a PS5 controller

DJI will pay $30,000 to a man who discovered a critical vulnerability in the company's cloud backend that, among other things, granted him access to a fleet of some 7,000 robot vacuum cleaners and gave him a glimpse into other people's homes, reports The Verge. The company reportedly sent Sammy Azdoufal, a software engineer who wanted to drive his DJI Romo robot vacuum with a PS5 controller, an email notifying him of the reward, but did not elaborate on the reasons behind it.

DJI insists that it had already started fixing several weaknesses in its backend systems before Azdoufal demonstrated the scale of access he had uncovered, yet questions remain about the reward and patching. According to an email he shared with The Verge, DJI agreed to pay him $30,000 for one of his discoveries, though the company did not clarify which specific discovery is eligible for the reward. DJI confirmed that it had compensated an unnamed researcher, according to The Verge. Yet, the company's past dispute with researcher Kevin Finisterre in 2017 makes it unclear whether Azdoufal would be rewarded at all and how quickly the DJI backend holes will be patched.

It all started earlier this year, when Sammy Azdoufal wanted to control his robotic hoover with something more convenient than a smartphone screen. To control his DJI Romo using his PS5 gamepad, Azdoufal had to develop a custom controller app that used his security token to verify to his vacuum cleaner that he was the owner of the device. To extract that token, he needed to work with DJI's cloud servers to reverse-engineer the authorization process, which he successfully did using the assistance of an AI coding tool. As it turned out, instead of verifying a single robot, DJI’s backend granted broad access rights to some 7,000 robot vacuum cleaners located in 24 countries, along with their sensor and data stored in the cloud.

The DJI Romo is an advanced robot vacuum cleaner that is not only equipped with the typical set of sensors found in any automatic hoover, but also with a camera and a microphone. As a result of the authorization flaw, Azdoufal gained access to 7,000 live camera feeds with audio and could even compile 2D floor plans of homes operated by other DJI Romos. As the DJI backend was also generous enough, it also provided the software expert with the IP addresses of these homes, enabling him to guess their geographical locations.

Azdoufal insists he did not 'hack' anything as he simply encountered a flawed backend service that failed to properly limit device access. To his credit, Sammy Azdoufal chose to disclose the information rather than abuse it. Azdoufal alerted The Verge, which contacted DJI, which fixed the problem by mid-February.

DJI then told Popular Science that it discovered the vulnerability during an internal review (so no credit was given to Sammy Azdoufal) in late January and quickly fixed it. Yet, according to the latest story by The Verge, the company now also credits two independent researchers with identifying the same problem, but does not elaborate.

Anyhow, according to media reports, the initial patch was deployed automatically on February 8, followed by a second update on February 10, which precedes The Verge's original story on February 14 but clearly follows the discovery of Sammy Azdoufal allegedly made earlier than February 8. DJI also said that no user action was required and added that additional security enhancements were underway without disclosing any details.

Follow 3DTested on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.