DJI fixes flaw exposing data of Romo vacuum users
TL;DR
DJI addressed a security flaw that exposed data of 7,000 Romo vacuum users. The issue raised concerns about data security in connected devices.
DJI has fixed a flaw that exposed data from Romo robotic vacuums, allowing unauthorized access to sensitive information from 7,000 users worldwide. The discovery was made by Sammy Azdoufal, who managed to control vacuums using a PlayStation 5 controller.
The flaw was in a "permission validation on the backend," which allowed any authenticated user to access data from all connected devices. In just nine minutes, Azdoufal cataloged 6,700 devices across 24 countries, collecting over 100,000 messages.
DJI was alerted and fixed the issue in less than 24 hours, although vulnerabilities remain, including access to video feeds without a security PIN. The company stated that communication is encrypted via TLS but acknowledged the need for two updates to fully resolve the issue.
The flaw raised concerns about data security, as even with encryption, authenticated users could access internal information. DJI promised a new fix in a few weeks to address remaining issues.
This case highlights the importance of rigorous security reviews, especially for internet-connected devices. DJI continues to work on improvements to protect user data.
Content selected and edited with AI assistance. Original sources referenced above.
