DJI will pay $30,000 to a man who discovered a critical vulnerability in the company's cloud infrastructure. The flaw gave him access to a fleet of about 7,000 robot vacuums and allowed him to peek into other people's homes.
DJI will pay $30,000 to a man who discovered a critical vulnerability in the company's cloud infrastructure. The flaw gave him access to a fleet of about 7,000 robot vacuums and allowed him to peek into other people's homes.
A software engineer received a reward letter from DJI after discovering a vulnerability when he tried to control his robot vacuum cleaner using a PS5 controller, The Verge writes .
DJI agreed to pay him $30,000 for one of his discoveries, although the company did not specify which one. According to The Verge, DJI confirmed that the reward was paid to the researcher, whose name is not officially disclosed.
It all started earlier this year, when an IT guy wanted to control his robot vacuum cleaner using something more convenient than a smartphone screen.
To control his DJI Romo using a PS5 gamepad, the man developed his own controller app that used his security token to verify ownership of the device to the robot vacuum cleaner.
To obtain this token, he had to work with DJI's cloud servers to reverse engineer the authorization process, which he successfully did using an AI code writing tool.
As it turned out, instead of checking access to just one robot, DJI's backend granted it broad access to about 7,000 robot vacuums in 24 countries, along with their sensor data and information stored in the cloud.
