Sometimes it doesn’t take much to gain access to extremely sensitive data. Following a most unexpected discovery, a French programmer is trying to alert and raise awareness about the security of our connected devices. At the start of the year, Sammy Azdoufal wanted to have fun connecting a PlayStation 5 controller to his DJI Romo robot vacuum cleaner to try to control it in an unusual way. But what should have been a simple programming project turned into a plunge into the network infrastructure of the manufacturer usually specializing in drones.
By connecting his vacuum cleaner to his control application quickly developed as part of this personal project, Sammy Azdoufal was surprised to discover that access to his device also gave him control over more than 7,000 of the brand’s robot vacuum cleaners around the world. The problem is that this access wasn’t just about moving vacuum cleaners via the PlayStation 5 controller. The data packets communicated also included the serial number of the devices, their battery percentage, the distance traveled, but also the mapping of the apartments as well as the video feedback from the cameras allowing vacuum cleaners to orient themselves and identify their environment. All this while the French programmer did not even resort to sophisticated hacking methods.
Access any vacuum cleaner via serial number
Sean Hollister, journalist The Verge having contacted Sammy Azdoufal, was able to see the extent of this unprecedented flaw. By providing the programmer with the serial number of a DJI Romo vacuum cleaner belonging to one of his colleagues who had recently tested it, the two men managed to consult the floor plan of the colleague’s apartment in question, as well as the camera feedback from the vacuum cleaner. “I didn’t break any rules, I didn’t bend, I didn’t hack, use brute force, anything else” explains the French programmer, former cybersecurity expert. He simply extracted the private token from his own vacuum cleaner, this digital key which should simply have allowed him to access the data on his device and not that of others.
What implications for our other connected devices?
Sammy Azdoufal immediately alerted the DJI teams, who have since taken care to correct this flaw with two patches deployed at the beginning of February. No additional action is required from users. Here is what the brand said following this mini scandal:
“DJI maintains strict data privacy and security standards and has processes in place to identify and address potential vulnerabilities. The company has invested in an industry-standard encryption system and has long operated a bug bounty program. We have reviewed the findings and recommendations provided by independent security researchers who contacted us as part of this program, in accordance with our standard post-remediation process. DJI will continue to implement additional security enhancements as part of its ongoing efforts.“
But this discovery raises many questions regarding the connected devices that are multiplying in homes. Other brands have already suffered hacks of this type (like Ecovacs in 2024), which leads us to believe that the security systems of home automation devices are still far from being perfect. How do we know if our vacuum cleaners, our cameras or even our automatic kibble dispensers are not just a simple flaw away from revealing sensitive information to malicious people? One thing is certain, this type of affair should push us to be more vigilant about the trust we place in the giants of robotics and home surveillance.
🟣 To not miss any news on the WorldOfSoftware, follow us on Google and on our WhatsApp channel. And if you love us, .
