User accidentally gains control of over 6,700 robot vacuums while tinkering with their own device to enable control with a PlayStation controller — security flaw reveals floor plans and live video feeds
Did he just unintentionally raise his own robot army?
Get 3DTested's best news and in-depth reviews, straight to your inbox.
You are now subscribed
Your newsletter sign-up was successful
A security flaw that exposed thousands of DJI Romo robot vacuums to unauthorized access has been unintentionally revealed after a tinkerer built an app to control their own device with a PlayStation controller. According to The Verge, this problem allowed the app to retrieve accurate floor plans, access live camera and microphone feeds, and even let it remotely control the affected devices.
This was accidentally discovered by AI strategist Sammy Adoufal, who used Claude Code to reverse engineer the protocol used by the DJI Romo to communicate with its servers. But instead of just letting him access his own device, it instead handed over the keys to around 6,700 robot vacuums located across the world. Azdoufal said that he didn’t hack into DJI systems — all that he did was to get the private token of his own Romo vacuum. “I didn’t infringe any rules, I didn’t bypass, I didn’t crack, brute force, whatever,” he said to The Verge. Because of this, he was able to access live servers across the world, including the U.S., Europe, and even China.
Thankfully, he didn’t use this knowledge to exploit other people’s privacy. He contacted DJI about the issue, and the company eventually resolved it through a couple of updates that required no action from the user. Still, the AI strategist says that there are still a couple of outstanding issues that it needs to address. This includes the ability to stream the video feed of a DJI Romo without a security PIN and another undisclosed problem because of its severity. More importantly, Azdoufal pointed out that the core of the problem does not lie in the encryption used by the robot vacuum when communicating with its server, but that all the data is stored in plain text and can easily be read by anyone who gains access to the server.
This isn’t the first time that a robot vacuum has been found to be mishandling the data that it gathers. Just last year, an engineer discovered that his iLife A11 smart vacuum had been consistently sending logs and telemetry data back to the manufacturer. When he blocked it from reporting back all that information through his network, the maker sent a kill code to disable the device, essentially bricking it remotely. With a little bit of tinkering and ingenuity, he was able to revive and use his device completely locally, proving that a robot vacuum does not need to be connected to the cloud 24/7 to operate as intended.
Many users are purchasing and installing IoT smart devices inside their homes because of the convenience that they bring. But incidents like this show how dangerous they can be, with tinkerers gaining accidental access to these systems unintentionally. This raises several red flags, with security researchers pointing out that if ordinary people can stumble into the private data of thousands of individuals through these gadgets, then a concerted attack could be far more damaging than anticipated.
Follow 3DTested on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.
Get 3DTested's best news and in-depth reviews, straight to your inbox.
