$30,000 for the individual who accessed DJI’s robotic network.
$30,000 for the individual who accessed DJI’s robotic network.
On Valentine’s Day, I presented you a narrative that has since captured global attention: How one individual, merely attempting to control his DJI robot vacuum with a PlayStation controller, stumbled upon a vast network of 7,000 remote-control DJI robots, allowing him to intrude upon others’ living spaces.
To clarify, DJI had initiated steps to fix some associated vulnerabilities prior to Sammy Azdoufal illustrating for The Verge just how extensive his access was. However, it remained uncertain whether DJI would compensate him for his findings, particularly following its treatment of security researcher Kevin Finisterre back in 2017 — or how quickly DJI would rectify the additional vulnerabilities identified by Azdoufal.
Today, we have gained some insights.
According to an email shared by Azdoufal with The Verge, DJI will compensate him $30,000 for a specific discovery, without disclosing the exact nature of this finding. While DJI is not naming Azdoufal, it confirms to The Verge that it has “rewarded” an unnamed security researcher for their endeavor.
DJI has opted not to reveal the discovery for which it is compensating him, but indicates that it has already resolved the additional vulnerability Azdoufal pointed out where an individual could view a DJI Romo video stream without needing a security PIN. “We can confirm that the PIN code security issue was addressed by late February,” stated a message from DJI representative Daisy Kong.
You might be curious: What about the vulnerability that appeared so serious we declined to explain it in our initial report? DJI informs me it is also tackling that matter: “We have initiated upgrades across the entire system. This encompasses a range of updates, which we expect to be fully deployed within a month.”
DJI has also released a public blog entry today discussing the enhancement of DJI Romo’s security, in which it continues to assert that it identified the original issue independently, while also crediting “two independent security researchers” for uncovering the same issue.
In that post, DJI implies that everything is already resolved with the Romo: “Updates have been implemented to completely rectify the issue.” Nevertheless, there were multiple vulnerabilities, and DJI informed The Verge that it may take up to another month for full resolution.
In the blog entry, DJI further notes that the Romo carries ETSI, EU, and UL certifications for security — raising doubts about the actual efficacy of these certifications if one individual using Claude Code managed to infiltrate an entire network filled with robotic vacuums! — and that it will stay committed to testing, correcting, and submitting the Romo and its application to independent third-party security evaluations.
DJI asserts that it is “dedicated to enhancing our collaboration with the security research community, and we will soon introduce new methods for researchers to work alongside us.”
