Programmer accidentally created ‘army of 7,000 robot vacuum cleaners’

Azdoufal used Claude Code AI programming assistant to decode DJI’s mobile application, to write an application to control the Romo vacuum robot with a PS5 controller for entertainment. However, when connecting to the DJI server system, Azdoufal’s application immediately received feedback from thousands of active devices around the world.

Azdoufal can remotely connect and control, view live video and audio, as well as let the mapping robot move and build a full floor plan of the house. He can also easily look up the robots’ IP addresses to estimate their geographic location.

“This is like accidentally creating an army of thousands of robot vacuum cleaners, allowing him to monitor a similar number of houses without anyone knowing,” the site said. Malwarebytes comment.

The reason stems from the MQTT protocol used by DJI to transmit messages from the device to the server and receive commands in the opposite direction. This is a lightweight, low-latency solution ideal for remote control and real-time data reception.

However, DJI’s security is so poor that Azdoufal was able to access all the data using a private token extracted from his robot. This code is used for the server to confirm a valid user, but allows access to information of thousands of robots on the server.

Azdoufal demonstrated this technique directly to the editor of the technology site The Verge. Thousands of robots quickly responded, sending an MQTT message to the server every 3 seconds to notify the serial number, the room being cleaned, images captured from the camera, distance traveled, time to return to the charger and obstacles encountered on the way. All are displayed in plain text, unencrypted.

This programmer claims this entire process takes place without intervention on the DJI server. “I did not violate any regulations, did not bypass any firewall or crack anything,” he said.

Nine minutes after starting, Azdoufal’s computer had connected about 6,700 DJI robot vacuum cleaners in 24 countries and collected more than 100,000 update messages. If including the DJI Power mobile power station, the number of access devices has exceeded 10,000.

Using only the 14-digit serial number, Azdoufal found the editor’s robot vacuum cleaner The Vergeconfirms it’s operating at 80% battery level and maps details of the home despite being in another country.

DJI spokeswoman Daisy Kong initially confirmed that the company had fixed the problem a week earlier, although Azdoufal’s demonstration was conducted shortly after this statement was made. DJI later issued a complete statement, acknowledging the problem in the data access authorization process and released two software patches in mid-February.

After the first patch, Azdoufal cannot access other people’s cameras, microphones and control robot vacuum cleaners. The second patch made his application no longer recognize any robots, including Azdoufal’s own products.

DJI claims to always deploy a TLS encryption system, but Azdoufal said that it only protects the connection between the device and the server, not the data inside. He added that there are many unpatched vulnerabilities, including a weakness that allows bypassing PIN encryption to access camera data.