When a security researcher named Sammy Azdoufal was trying to build a DIY joystick controller for his robot vacuum, he accidentally discovered a deeply unsettling security flaw: it was easy to gain access to a small army of strangers’ home robot vacuums.
It sounds goofy. Totally silly. The stuff of a “weird news” tag on a link aggregation site. But it’s actually a serious gaping security flaw.
The device at the center of it all was a DJI Romo, a $2,000 autonomous vacuum that is comprised of two components: the regular old disc-shaped robot vacuum you’re used to seeing, and then its rather bulky docking station, which looks like a colorless iMac G3.
Like most high-end smart home devices, it relies on cameras, sensors, and remote servers to map rooms, avoid obstacles, and distinguish kitchens from bedrooms, and so on. It also stores some of that data in the cloud.
A Guy Somehow Became the Accidental Ruler of 7,000 Robot Vacuums
Speaking with The Verge, Azdoufal says that while tinkering, he discovered that, instead of verifying a single security token tied to his own vacuum, DJI’s servers effectively treated him as the owner of multiple devices. That meant potential access to live camera feeds, microphones, 2D floor plans of homes, and approximate device locations based on IP addresses. He says he didn’t “hack” anything; he just stumbled into a system that willfully handed him the keys as if he were its rightful owner.
After being alerted, DJI said it patched the vulnerability in early February through automatic updates and claimed no user action was required. The company also promised additional security enhancements, though details on those were sparse.
All this comes at a time when Ring, Google Nest doorbells, and Flock security cameras are key players in ongoing controversies that are sparking anxiety about who really controls the data flowing from the devices in our homes and fastened to our front doors. With companies like Tesla and 1X racing to build humanoid robots to help with household tasks, security questions will become ever more important.
All this convenience comes with the uncomfortable truth that most people are quick to ignore in the name of technological convenience: every camera and microphone invited inside is a potential surveillance tool that, in the wrong hands, can quickly become a goldmine for hackers… or worse.
The post How a Guy Accidentally Became the Supreme Ruler of an Army of 7,000 Robot Vacuums appeared first on VICE.
