Robo vacuums hacked
Azdoufal experimented to get the device to react to a PlayStation 5 controller using artificial intelligence. jeshoots/Unsplash

Imagine a still room in a London flat, the sudden whirring sound of a robot vacuum. Inside, there is a tiny camera that records every corner. A Spanish software engineer, Sammy Azdoufal, found himself able to see through not just his own unit but thousands of devices located around the globe.

Azdoufal had wanted to do something new with his DJI Romo vacuum cleaner. He experimented to get the device to react to a PlayStation 5 controller using artificial intelligence.

That tinkering became a discovery. 'I found my device was one of an ocean of devices,' he told The Verge. 'I didn't violate any rules, I didn't jump the gun, I didn't cheat, brute force, whatever.'

His role as head of AI at a property management and travel group in Spain gave him the skills to test the firmware. He never thought the code would open a door to 7000 vacuums in 24 countries.

Glitch that spanned 24 nations

The flaw was the way the robots were connected to DJI's cloud servers.

Azdoufal did not hack into DJI's infrastructure, the glitch went directly to the devices themselves. He was able to watch live footage, listen to microphones and even map the layout of a home.

Azdoufal tapped into the tech company's network, a breach that illustrates the ease in which bad actors could obtain data in a tech-saturated society.

The scale shocked him. He had no intention of spying.

He just wanted to take control of the vacuum using something familiar to control it. Instead, he ended up being a ghost in a thousand smart houses.

The engineer explained how each of the vacuums was a window into a private space. The cameras sent data to the cloud and the microphones recorded the sounds in the room. By following the IP addresses, Azdoufal was able to pinpoint devices all over the world. He could even compile floor plans using the mapping data from the vacuum.

DJI responds with fixes, and future safeguards

DJI got notice of the report quickly. 'DJI can confirm the issue was fixed last week and remediation is already in progress before public disclosure,' a spokesperson, Daisy Kong, wrote to The Verge.

'DJI maintains strong standards for data privacy and security and has established processes for identifying and addressing potential vulnerabilities.DJI will continue to implement additional security enhancement as part of its ongoing efforts,' DJI will continue to apply more security enhancement as part of its continuous efforts.

The company also stated that other network issues would be addressed soon. While the fix appears to be immediately available, the incident raises questions about the number of other IoT devices that have similar vulnerabilities.

More robot vacuum hijack

This isn't the first time a vacuum has been hijacked.

Two years before this, Ecovacs robot vacuums have been reprogrammed to bombard US homeowners with racial slurs. That hack made headlines, and it appeared to mark the beginning of a trend. The case with the DJI shows that the problem is not limited to a handful of units, but a widespread issue that impacts thousands of units.

Home owners who purchased a DJI Romo or one of the like need not panic, but they should look into firmware updates and security settings. Manufacturers need to strengthen their authentication and encryption protocol. Consumers, as well, should be aware of the data the devices collect.

Writer's pick
Cybersecurity