A software engineer who uncovered a major vulnerability in DJI’s cloud infrastructure — one that potentially exposed thousands of robot vacuum devices — has been promised a $30,000 reward from the company.
The discovery, first reported by The Verge, revealed how a backend authorization flaw in the system powering DJI’s ROMO robot vacuum could have allowed access to a fleet of roughly 7,000 devices across 24 countries.
Those devices weren’t just cleaning floors. They also carried cameras, microphones, and mapping sensors designed to help them navigate homes — making the implications of the vulnerability particularly sensitive.
While DJI says the issue has already been fixed and that no user data appears to have been misused, the incident has sparked fresh discussions about security in connected home devices.
A simple experiment turned into a major discovery
The situation began with what seemed like a harmless experiment. Software engineer Sammy Azdoufal wanted to control his DJI ROMO robot vacuum using a PlayStation 5 controller instead of the standard smartphone app. To do that, he began building a custom controller interface that would communicate with DJI’s cloud systems.
Like many connected devices, the robot vacuum verifies ownership through a security token that authenticates commands sent from the user’s device. To extract that token and understand how authorization worked, Azdoufal began reverse-engineering the process used by DJI’s cloud backend. He reportedly used an AI coding tool to help analyze the system.
What he found surprised him. Instead of granting access only to his own vacuum, the backend validation process allowed much broader permissions. The system effectively opened a door to thousands of devices connected to the same cloud infrastructure.
According to the report, the flaw meant Azdoufal could see data tied to roughly 7,000 DJI ROMO vacuums worldwide. Because the robot vacuums include built-in cameras and microphones, the vulnerability also allowed potential access to live camera feeds and audio streams.
In addition, the system stored mapping information created by the vacuums as they cleaned homes. That meant Azdoufal could generate 2D floor plans of houses where these devices were operating.
The backend reportedly even exposed the IP addresses associated with the homes, which could potentially reveal approximate geographic locations.
Azdoufal has stressed that he did not exploit the vulnerability for malicious purposes. Instead, he documented the findings and reported the issue responsibly. According to reports, he also alerted journalists, which prompted further scrutiny and outreach to DJI.
DJI says the issue was already under review
DJI has offered a slightly different timeline for how the vulnerability was discovered and fixed. In a statement, the company says it identified a backend validation issue involving the DJI Home app in late January during a routine internal security review. The issue affected the new ROMO robot vacuum product as well as certain DJI power stations.
DJI says that two independent security researchers later reported the same vulnerability through the company’s bug bounty program, contributing to the remediation process.
The company says updates have already been deployed to fix the issue. “Technology is not static; it is constantly evolving, and security must evolve with it,” DJI insisted.
According to DJI, its investigation found that the unusual activity tied to the vulnerability was largely the result of security researchers testing the system, rather than malicious exploitation. “We did not identify evidence that user data was misused,” the company said.
Despite the vulnerability being fixed, the story gained attention after Azdoufal shared an email from DJI indicating the company would pay him $30,000 for one of the discoveries he reported. DJI confirmed to media outlets that it had compensated an unnamed researcher, though the company did not specify which particular finding qualified for the payout. The lack of detail has left some uncertainty around the reward and how it fits into DJI’s bug bounty program.
Bug bounty programs are commonly used in the tech industry to encourage independent researchers to responsibly disclose vulnerabilities instead of exploiting them. Companies then reward researchers depending on the severity of the bug.
DJI says its program has been active for nearly a decade. “Since launching our bug bounty program nearly a decade ago, more than 300 security researchers have submitted reports regarding potential vulnerabilities across DJI platforms,” the company said.
Security still a top priority, DJI says
DJI emphasized that it has invested heavily in strengthening the security of its ecosystem over the years. The company says it maintains a dedicated product security team, conducts regular architecture and code reviews, and performs end-to-end penetration testing to identify potential vulnerabilities. It also follows coordinated disclosure practices and deploys automatic patches when needed.
The ROMO product line itself, DJI notes, has already received multiple security certifications, including ETSI EN 303 645, EU RED requirements, and UL Solutions Diamond IoT Security certification.
The company added that it plans to continue submitting its products — including ROMO and the DJI Home app — to independent third-party security audits. “Our customers place trust in our technology, and we do not take that lightly,” DJI said.
For consumers, the episode highlights a broader reality of the modern smart home. Devices like robot vacuums, security cameras, and smart speakers rely heavily on cloud infrastructure, and any weakness in that infrastructure can have wide-reaching effects. In this case, the vulnerability appears to have been caught before any widespread misuse occurred. Still, the discovery serves as a reminder of why companies invest in bug bounty programs and partnerships with security researchers, and why responsible disclosure can help keep connected technology safer for everyone.
More: DJI Mini 4 Pro, Matrice 4 drones can create 3D models faster with this tool
FTC: We use income earning auto affiliate links. More.
Comments