Drone maker DJI has reportedly confirmed that it will pay $30,000 to a man who discovered major security flaws in the company’s robot vacuum cleaners. This compensation comes after a man accidentally found the vulnerabilities that allowed him to access thousands of connected DJI robot vacuum cleaners while experimenting with the device’s controls. The issue came to light after Sammy Azdoufal, who was trying to control a DJI robot vacuum with a PlayStation gamepad, discovered he could remotely connect to a network of around 7,000 devices.
According to a report by The Verge, the discovery revealed vulnerabilities that potentially allowed remote access to cameras and controls on the vacuums, raising concerns about privacy and device security. Azdoufal later demonstrated the issue to the publication, showing how the system could allow someone to peek into other users’ homes.
DJI said it had already started addressing some of the related vulnerabilities before the discovery was publicly demonstrated. The company has now confirmed it will reward Azdoufal for reporting the issue as it continues to patch the remaining security gaps, The Verge reports.
What DJI said about paying the researcher who found security flaws in its robo vacuum cleaners
In an email shared with The Verge, DJI spokesperson Daisy Kong has confirmed that the company will pay Sammy Azdoufal $30,000 for a single discovery, though the message does not specify which vulnerability the payment relates to. While the company did not name Azdoufal directly, it confirmed that it has an unnamed security researcher for their work.
DJI also did not specify which discovery the reward is tied to, but said it has already addressed an additional vulnerability identified by Azdoufal. The issue allowed someone to view a DJI Romo video stream without needing a security PIN.
Kong wrote in DJI’s statement. DJI said it is currently working on resolving other issues as well.
Kong added.
What DJI said about the security flaw that allowed hacking into 7000 robot vacuum cleaners
In a blog post, DJI outlined the steps it says it is taking to strengthen the security of the DJI Romo robot vacuum. In the post, the company maintained that it had originally discovered the issue while also acknowledging that “two independent security researchers” had identified the same problem.
The blog post adds that updates have been deployed to resolve the issue, saying, However, multiple vulnerabilities were involved, and DJI told The Verge that addressing all of them could take up to another month.
In the same post, DJI said the Romo already holds security certifications from ETSI, the EU, and UL. The company added that it plans to continue testing and patching the device and will submit the Romo and its app for independent third-party security audits.
DJI also wrote that it is
