DJI fixes a security flaw that allowed you to control thousands of DJI ROMO robot vacuum cleaners and access their cameras

DJI has solved a security flaw identified in its new DJI ROMO P robot vacuum cleaners, which allowed remote control of around 7,000 vacuum cleaners globally, as well as access to their camera and microphones in real time.

The technology company presented its series of ROMO robot vacuum cleaners in October of last year. Available in three configurations, this series has a scrubbing function and uses the technology of the brand’s well-known drones to precisely detect obstacles and trace cleaning routes.

Among the different models in the new series, the ROMO P is the most advanced, with an additional compartment for floor deodorizer and a striking design due to its transparent charging station, available from 1,899 euros.

However, the new ROMOs have not only stood out for their design and capabilities, but have also been the subject of investigation due to a security flaw, identified by accident, that allowed thousands of vacuum cleaners to be controlled remotely, as well as access to their camera and microphones.

This failure has been identified by the director of Artificial Intelligence (AI) strategy at the home rental company Emerald Stay and application developer, Sammy Azdoufal, who, after trying to remotely control his new DJI ROMO vacuum cleaner with a PS5 controller “for fun”, managed to communicate with the company’s servers and, with this, access thousands of robot vacuum cleaners globally.

Specifically, Azdoufal created a remote control application using the AI ​​assistant Claude Code that, when attempting to communicate with his vacuum cleaner by reverse engineering DJI protocols, received responses from approximately 7,000 vacuum cleaners globally.

Through this application, I could not only control all the responding vacuum cleaners remotely, but I could also access the cameras to view the captured images and access the live microphones.

This has been shared by The Verge, who has collected the developer’s research and has verified the veracity of the vulnerability by putting into practice the remote control of a DJI ROMO vacuum cleaner belonging to a journalist from the aforementioned media, which Azdoufal was able to control from Barcelona using only its serial number.

So much so, that the developer showed the media in question how he could map each room in a house by generating a 2D plan, as well as use the IP address of any robot to find its approximate location. He could also access the serial number of each robot, which rooms it was cleaning, the battery level or the obstacles encountered along the way.

In total, Azdoufal managed to access 10,000 devices in 24 different countries. Likewise, he affirms that in doing so, he has not broken any rules. “I didn’t jump, give in, or brute force,” the developer said, alleging that he simply extracted the private token from his own DJI ROMO vacuum cleaner – that is, the key that tells DJI’s servers that a user has access to his own data – and, in return, the company’s servers also showed him the data of thousands of other users.

DJI FIXES THE BUG: A VULNERABILITY IDENTIFIED IN JANUARY

For its part, the technology company has indicated that it has already corrected the security flaw that allowed access and control of the robot vacuum cleaners, although it has clarified that this error comes from a vulnerability that affected DJI Home identified internally at the end of January, which had not been completely patched.

“DJI can confirm that the issue was resolved last week and that the fix was already underway prior to public disclosure,” DJI spokesperson Daisy Kong said in a statement sent to The Verge.

As the firm explained in the statement, the problem affecting DJI Home was solved through two updates, with an initial patch deployed on February 8 and a follow-up update completed on February 10, without requiring any action from users.

Specifically, it was a vulnerability that involved a permission validation issue in the backend, which affected MQTT-based communication between the device and the server. This issue “created a theoretical potential for unauthorized access to live video from the ROMO device,” although according to the investigation, “the actual events were extremely rare” and were linked to independent security researchers who were testing the devices.

Thus, although DJI claims that the first patch fixed the vulnerability, it had not been applied universally “across all service nodes” and, therefore, the second patch was released with the intention of extending the fix to the remaining service nodes, thus re-activating and restarting them.

After receiving Sammy Azdoufal’s report on the flaws found, DJI has ruled that it has already been completely resolved and “there is no evidence of a broader impact.” Likewise, it has specified that it is not a transmission encryption problem and that the communication between the device and the server “was not transmitted in clear text.”

“DJI maintains strict data privacy and security standards and has established processes to identify and address potential vulnerabilities,” he concluded, while noting that it has invested “in an encryption industry” and that it manages a bug bounty program.

With all this, it must be taken into account that, although DJI claims to have solved the bug, if it has simply closed a certain entrance to its servers to prevent anyone from accessing the devices, malicious actors may end up finding another entrance to continue accessing the same point. That is, robot vacuum cleaners are not completely protected.

Azdoufal has confirmed that he no longer has access to any DJI ROMO robot vacuum cleaners. However, he has shared with The Verge another failure related to robot vacuum cleaners that has not been described because it is not yet solved and that he describes as “serious.”