The engineer could eavesdrop on people in their homes.
Spanish software engineer Sammy Azdoufal wanted to tweak his new DJI Romo robotic vacuum so he could control it using a PlayStation 5 controller. But while testing his custom remote control app, he discovered that the same authorization token allowing him to control his device accidentally gave him access to about seven thousand other robotic vacuums worldwide.
He could watch videos from the robots’ cameras, listen to audio from microphones, and see home maps that the devices create while navigating. The engineer stated that he gained control over the devices because his login credentials allowed access to others. This involved models from the Chinese company DJI.
The engineer then contacted The Verge to raise awareness about the security threat. “I found that my device was just one in an ocean of devices,” he said.
DJI later confirmed the existence of the flaw, describing it as an issue with backend authentication permissions, and stated that it had been fixed.
