DJI recently launched a range of robot vacuums in Australia, but the timing unfortunately coincided with security concerns. Since then, DJI has resolved some of the issues at the heart of the recent controversy while working to fix one remaining vulnerability.
Just before DJI launched the Romo robot vacuums in Australia, a software engineer by the name of Sammy Azdoufal accidentally gained access to thousands of robots in other regions around the world. All he wanted to do was control his device using a PlayStation DualSense controller. Instead, Azdoufal, using Claude Code, inadvertently found a way to remotely control other people’s Romo robots.
DJI deployed a fix in early February, which didn’t require any user input. More recently, the company published a blog post explaining what happened.
“In late January, as part of routine internal security reviews, DJI identified a backend validation issue involving the DJI Home app that affected our new ROMO product and some DJI power stations,” the blog post said.
“Our investigation indicates that the observed activity was primarily related to security researchers’ testing, and we did not identify evidence that user data was misused.”
Is the DJI Romo vulnerability fully fixed?
According to The Verge, DJI will pay Azdoufal US$30,000 for assisting with identifying and fixing one of the reported vulnerabilities. One vulnerability involved being able to access a DJI Romo’s video stream without needing a PIN code. A DJI spokesperson told The Verge that this issue was fixed in late February.
However, The Verge‘s reporting also alludes to a yet-unnamed vulnerability that has not been resolved. According to DJI’s spokesperson, the company is “upgrading the entire system”, with a series of updates set to roll out within a month.
It’s not known what this remaining vulnerability is. The Verge reporter Sean Hollister labelled it “so bad [The Verge] refused to describe it in our original story”. When there’s a risk of security vulnerabilities being exploited by bad actors, it’s common practice not to publish the full details, so that there’s time to fix the problem before the public knows.
DJI’s blog doesn’t reference this reported vulnerability. Instead, it outlines the brand’s approach to security, including the role that its security team plays alongside external researchers via a bug bounty program.
“Security is a never-ending process, and we will continue to share developments along the way,” the blog post concludes.
In GadgetGuy‘s review of the flagship DJI Romo P model, the device received praise for its cleaning capabilities and excellent navigation. However, its security concerns left some lingering question marks.
The post DJI fixes security issues with its Romo robots, but one remains appeared first on GadgetGuy.
0 comments:
Post a Comment