TOKYO, February 26
In an unsettling turn of events, programmer Sammy Azdoufal set out with a simple objective: to maneuver his robot vacuum cleaner utilizing a PlayStation controller.
However, he inadvertently accessed a staggering 7,000 additional devices, igniting concerns about the security vulnerabilities inherent in smart home technology.
This revelation has prompted scrutiny within the tech community, leading the Chinese manufacturer DJI to acknowledge and rectify a “vulnerability” detected within its software.
Azdoufal, a French developer residing in Barcelona, recounted his experience during a recent phone conversation with AFP, stating that his curiosity drove him to customize his sophisticated DJI Romo vacuum cleaner.
“They have an app linked to the vacuum. So I tried to understand what the app was transmitting to the robot when I maneuvered it,” Azdoufal remarked.
Curiosity piqued, he connected the gaming controller and whimsically decided to program the vacuum to emit a crying sound when its battery dwindled.
“Sometimes my brain is a bit peculiar,” the 32-year-old chuckled.
As Azdoufal probed deeper to ascertain the battery status, he was both perplexed and “a little bit scared” upon discovering data belonging to myriad other vacuum cleaners.
“You can access a comprehensive map of the rooms, along with access to the camera, microphone,” in addition to the approximate location of each device, he asserted.
After sharing his startling discovery with a friend, they both felt an overwhelming sense of alarm, prompting Azdoufal to reach out to DJI regarding the apparent security breach. He presently serves as the head of artificial intelligence for a vacation rental platform and possesses a background in cybersecurity.
In a bid to safeguard their privacy, his wife has since covered the camera on their vacuum cleaner.
‘Super fancy’
When DJI failed to respond promptly, Azdoufal sought assistance from the technology publication The Verge, which provided him with the 14-digit serial number of a recently reviewed DJI Romo.
The Verge then reported that Azdoufal skillfully generated an accurate floor plan of a reporter’s home, confirming that the robot vacuum was indeed in operation.
However, he remained unable to control the device or access its camera or microphone, according to the publication, which also noted that DJI had reportedly restricted access to these features upon being informed of the issue.
DJI, headquartered in Shenzhen and renowned for its drones and cutting-edge devices, promotes the Romo series—priced at approximately $2,000 for its premium models—as its “flagship robot vacuum with advanced sensing capabilities.”
Azdoufal purchased the vacuum in December and began utilizing it in January, justifying his expense with the quip that it’s “super fancy” and “I’m a bit foolish.”
In response to inquiries from AFP, DJI stated that it had “identified a vulnerability affecting DJI Home through internal review in late January and initiated remediation immediately.”
The company addressed the issue via two updates in early February, asserting that “no user action [was] required.” DJI emphasized that it upholds stringent data privacy and security standards and has established protocols to identify and address potential vulnerabilities.
The organization affirmed, “We take reports from the security community seriously and investigate them promptly. We are striving to enhance the PIN code verification mechanism and are reviewing the researcher’s additional claims.”
Furthermore, the company reassured that its backend systems benefit from layered safeguards, including rigorous access controls, with sensitive user data protected through encryption where necessary.
Source link: Malaymail.com.
