- A DJI Romo owner has exposed a huge security flaw
- He gained access to a global network of 7,000 robovacs
- DJI says it’s busy patching the security vulnerabilities
DJI‘s first robot vacuum, the DJI Romo, is expanding to more markets after launching last year – but it apparently comes with some rather large security holes that led to one hobbyist hacker gaining control of 7,000 of the machines.
As The Verge reports, DJI Romo owner Sammy Azdoufal was trying to get his PS5 controller to operate his new robovac when he inadvertently took over thousands of the devices. Azdoufal’s remote control app, made with the help of Claude Code, slipped through some rather basic security on DJI’s servers.
Not only could Azdoufal control any of these robovacs, he could also access the video and audio they were feeding back, and view 2D floor plans of the homes they were in. IP addresses were also accessible, meaning approximate locations of these properties could be calculated, alongside everything else.
It seems that the security token that Azdoufal used to confirm ownership of his own device was good enough for DJI’s servers to grant access to thousands of other DJI Romos too. Even DJI Power portable power stations were showing up on the map, reporting back diagnostics and status.
Fixes coming
The good news is that DJI has patched this problem, confirming to The Verge that the issue is now “resolved” and indeed that “remediation was already underway prior to public disclosure”. However, it’s very worrying that this was possible in the first place, with so little security put in place against hacks.
New DJI products are in fact banned in the US at the moment, due to concerns about security protocols and the company’s connections to the Chinese government – and suspicions around spying and surreptitious data collection aren’t going to be allayed by this latest security disaster.
There is actually another security problem with the DJI Romo, which The Verge has deemed too serious to report openly about. DJI says that this second issue will be fixed within weeks, but it’s hardly going to inspire confidence or trust in anyone looking to purchase one of the best robovacs right now.
It’s yet more evidence that smart-home devices are some of the worst when it comes to security. We’ve reached out to DJI for an official statement on the reporting done by The Verge, and will report back if we hear anything.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
https://cdn.mos.cms.futurecdn.net/QSzsujiJ87R8pfa2rmi3hY-1600-80.jpg
Source link
