Uncovering DJI’s Security Vulnerabilities: What You Need to Know

On Valentine’s Day, a remarkable story emerged about Sammy Azdoufal, who, while navigating his DJI robot vacuum with a PlayStation controller, stumbled upon an extensive network of 7,000 remote-controlled DJI devices. This discovery raised alarms about privacy and security, as it allowed him to potentially gain access to numerous homes.

DJI’s Response to Vulnerabilities

Prior to Azdoufal’s revelations, DJI had begun tackling some of the vulnerabilities associated with their products. However, questions lingered about whether the company would reward Azdoufal for his findings. This concern was heightened by its past treatment of security researchers, notably Kevin Finisterre in 2017, who reported similar issues.

Compensation for Security Discoveries

Recent updates have clarified that DJI will compensate Azdoufal with $30,000 for one specific discovery, although the exact nature of this discovery remains undisclosed. While DJI refrains from naming Azdoufal, they confirmed to The Verge that they have indeed rewarded an anonymous security researcher.

Addressing the Vulnerabilities

DJI has already acted on a critical vulnerability identified by Azdoufal, which allowed unauthorized access to DJI Romo video streams without a security PIN. According to DJI spokesperson Daisy Kong, this issue was resolved by late February. However, further concerns continue to exist regarding additional vulnerabilities.

Future Security Updates

In response to questions about other outstanding vulnerabilities, DJI assured that they are actively working on improvements. They anticipate that a comprehensive system upgrade, addressing these concerns, will be fully implemented within the next month.

Strengthening Security Measures

In conjunction with these updates, DJI published a blog post detailing efforts to bolster the security of the DJI Romo. The company claimed to have discovered the original issue internally and credited two independent security researchers for their contributions.

Certifications and Commitment to Security

DJI emphasized that the Romo holds certifications from ETSI, EU, and UL for security. This raises questions about the efficacy of these certifications, especially when a single individual can access an extensive network of devices. DJI pledged to continue rigorous testing and submit their products for independent audits to ensure ongoing security.

Future Collaboration with Security Researchers

Looking ahead, DJI expressed their commitment to enhancing engagement with the security research community, announcing plans to introduce new collaborative initiatives for researchers. This move aims to foster a safer technological environment for all users of DJI products.