Robot Vacuums Exposed: Thousands Remotely Controlled

A significant security lapse allowed a user to remotely control approximately 7,000 DJI robot vacuums globally. The individual discovered they could access live camera feeds, listen through microphones, and generate floor plans by simply extracting a device's private token, rather than breaching DJI's servers. This vulnerability theoretically exposed thousands of users' private spaces to potential unauthorized viewing and control.

DJI acknowledged a backend permission validation issue affecting its robot vacuums. While the company initially claimed the vulnerability was fixed earlier, it was confirmed to be only partially resolved until after the issue was demonstrated. DJI has since deployed updates to address the security flaw, restricting the previously available remote access.

This incident raises critical questions about the security and data handling practices of smart home device manufacturers. It underscores the broader challenges in securing IoT devices against potential threats, especially when sensitive data like live video feeds and detailed home layouts are involved. The company stated that communication was always encrypted using TLS, but the application layer vulnerability allowed unauthorized participants access to data in plaintext.

Further vulnerabilities may still exist, including bypassing security pins for video streams. Experts emphasize that server location does not guarantee data protection from internal access. While DJI has stated it has resolved the issue, ongoing vigilance and robust security measures are crucial for protecting consumer privacy in the connected home environment.