Accidental Hacker Rewarded: DJI Pays $30,000 for Romo Robovac Vulnerability
In a story that has captivated tech enthusiasts and cybersecurity experts alike, DJI has confirmed a $30,000 payment to Sammy Azdoufal, the man who inadvertently stumbled upon a gaping security flaw in the company’s Romo robot vacuum network. What began as a simple attempt to control his personal device with a PlayStation gamepad escalated into the discovery of access to an astonishing 7,000 remote-controlled DJI robots, offering a disturbing peek into thousands of private homes.
Unraveling the Vulnerability
The saga, first brought to light on Valentine’s Day, detailed how Azdoufal, a security researcher, exposed critical vulnerabilities within the DJI Romo system. While DJI had already initiated efforts to address some related issues, Azdoufal’s demonstration to The Verge underscored the profound extent of the access he could achieve. This revelation sparked immediate questions regarding DJI’s willingness to compensate him for his findings, especially given the company’s controversial history with security researchers, notably the 2017 incident involving Kevin Finisterre.
DJI’s Response and Compensation
Today, some of those questions have been answered. According to an email shared by Azdoufal with The Verge, DJI will pay him $30,000 for one specific discovery, though the company has refrained from publicly naming him or specifying which vulnerability garnered the reward. DJI, however, confirmed to The Verge that an unnamed security researcher had indeed been “rewarded” for their work.
DJI spokesperson Daisy Kong stated that the vulnerability allowing video stream viewing without a security PIN “was addressed by late February.” Yet, the more severe, undisclosed vulnerability – deemed so critical that its details were withheld from the original story – is still being actively worked on. DJI assures that “upgrading the entire system” is underway, with full implementation anticipated within one month.
Conflicting Narratives and Certification Concerns
Adding a layer of complexity, DJI simultaneously published a public blog post emphasizing strengthened Romo security. In this post, the company maintains that it discovered the original issue independently, while also crediting “two independent security researchers” for identifying the same problem. The blog post suggests a complete resolution, stating, “Updates have been deployed to fully resolve the issue.” This contrasts with DJI’s private communication to The Verge, indicating that a full fix could still be a month away.
The incident also casts a shadow on the efficacy of industry certifications. DJI proudly notes that the Romo holds ETSI, EU, and UL security certifications. However, the ease with which one individual could access an entire network of robovacs raises serious questions about the practical value and rigor of these certifications. Despite this, DJI reiterates its commitment to ongoing testing, patching, and submitting the Romo and its app to independent third-party security audits.
A Pledge for Future Engagement
Looking forward, DJI has expressed a commitment to “deepening our engagement with the security research community” and plans to “soon introduce new ways for researchers to partner and collaborate with us.” While this signals a positive shift, the Romo incident serves as a stark reminder of the critical importance of robust security in smart home devices and the ongoing vigilance required from both manufacturers and the research community.
For more details, visit our website.
Source: Link
Leave a comment