Last month, a security researcher found a major security vulnerability in DJI’s first-ever robot vacuum, Romo. He was able to remotely access thousands of units, including their live camera feeds, through a PS5 controller. On its part, DJI issued a statement saying that it had fixed these security issues. Back then, it wasn’t clear whether DJI would reward the man a bounty for their discovery. There seems to be a positive development in this regard. A new report says that DJI will pay the researcher who hacked Romo robovacs.
DJI will reportedly pay $30,000 to the researcher who hacked Romo robovacs
The Verge reports, citing the email he shared with the publication, that DJI will pay the researcher, Azdoufal, $30,000 for one signal discovery. But it isn’t clear which discovery it’s paying him for. Though DJI is not naming Azdoufal, it reportedly confirmed to The Verge that it has “rewarded” an unnamed security researcher.
DJI further says that it has already addressed the extra vulnerability that the researcher found, where someone can view a DJI Romo video stream without needing a security pin. “We can confirm that the PIN code security observation was addressed by late February,” said DJI spokesperson Daisy Kong in a statement.
There seems to be another major vulnerability that hasn’t been publicly disclosed. DJI reportedly says that it’s working on that as well. It notes that it has started upgrading the entire system, including a series of updates. DJI expects to “fully implement them within one month.”
No evidence of user data misuse
The company has published a blog post that focuses on security and continuous improvements. While claiming it discovered Romo’s security vulnerability, it is also crediting two security researchers who reported the same vulnerability. It says it resolved the issues with Romo and found no evidence of user data misuse. Then again, there wasn’t just one vulnerability. The report adds that DJI said that it could take as long as another month.
DJI brags about how Romo already has ETSI, EU, and UL certifications for security. But then again, seeing how a security researcher gained access to an entire network full of robovacs, it really raises doubts about how useful these certifications are. Either way, it adds that it will submit Romo and the DJI Home app to independent third-party security audits and additional certifications to further strengthen the security.
Lastly, DJI notes that it will further deepen its engagement with the security research community and will introduce new ways for researchers to partner and collaborate with it.
The post DJI Awards $30K Bounty to the Researcher Who Hacked Romo Vacuum appeared first on Android Headlines.
