BBS: TELESC.NET.BR
Assunto: DJI to Supreme Court
De: Mike Powell
Data: Fri, 27 Feb 2026 15:19:51 -0500
-----------------------------------------------------------
[something DJI maybe didn't need to deal with right now]
Tinkerer accidentally gets access to thousands of DJI Romo robot vacuums
By Efosa Udinmwen published 22 hours ago
Sensitive data, including floor plans and live video feeds, was exposed
One user accidentally gained access to thousands of DJI Romo vacuums
worldwide
Sensitive data, including floor plans and live video feeds, was exposed
online
Encryption of communications was intact, yet server storage remained
completely unprotected
A hobbyist discovered that his DJI Romo vacuum unintentionally allowed access
to thousands of other devices.
Sammy Azdoufal, an AI strategist, used reverse engineering to understand how
the Romo communicated with DJI servers. He did not hack into DJI systems or
bypass encryption, and he did not use brute force or other illicit methods.
He was attempting to control his own robot using a PlayStation controller when
the protocol returned private tokens for additional vacuums, including more
than 6,700 devices located across multiple regions, including the United
States, Europe, and China.
Discovery and technical details
The core problem was that device data was stored in plain text on the server,
which allowed anyone who gained access to read floor plans, live video feeds,
and microphone input. The encryption protecting communications was not flawed,
yet the data storage exposed sensitive information to anyone with access.
Azdoufal immediately reported the vulnerability to DJI, and the company issued
updates to address several problems without requiring user intervention.
Some vulnerabilities remain, including the ability to stream video without a
security PIN and another undisclosed issue because of its severity. These
remaining problems indicate that server-side data storage and access control
still need attention.
Unfortunately, this is not an isolated case - an engineer previously
discovered that his iLife A11 smart vacuum continuously sent logs and telemetry
back to the manufacturer.
When he blocked reporting through his network, the company remotely disabled
the device. Using technical adjustments, he restored local functionality,
proving that cloud connectivity is not strictly necessary for proper device
operation.
Many consumers purchase smart devices for convenience, but incidents like these
show potential risks when ordinary users can accidentally access private data.
Using firewall software, careful monitoring, and endpoint protection for
network activity can reduce exposure, and broader use of AI tools could also
help identify unusual patterns, although this does not guarantee detection.
Users should be aware that even minor misconfigurations or design flaws can
create major privacy risks. Live video, floor plans, and other information
could be exposed if attackers exploit similar vulnerabilities.
The case of the DJI Romo vacuums indicates that IoT devices may prioritize
convenience over strong data protection - as while this discovery was
accidental and responsibly reported, the underlying design leaves sensitive
personal information vulnerable.
This raises valid concerns about both unintended access and potential targeted
attacks in the future.
Via Tom's Hardware https://www.tomshardware.com/tech-industry/cyber-security/us
er-accidentally-gains-control-of-over-6-700-robot-vacuums-while-tinkering-with-
their-own-device-to-enable-control-with-a-playstation-controller-security-flaw-
reveals-floor-plans-and-live-video-feeds
https://www.techradar.com/pro/security/tinkerer-accidentally-gets-access-to-tho
usands-of-dji-romo-robot-vacuums
$$
--- SBBSecho 3.28-Linux
* Origin: Capitol City Online (1:2320/105)
-----------------------------------------------------------
[Voltar]