{"id":333315,"date":"2026-03-07T06:03:07","date_gmt":"2026-03-07T06:03:07","guid":{"rendered":"https:\/\/www.newsbeep.com\/ie\/333315\/"},"modified":"2026-03-07T06:03:07","modified_gmt":"2026-03-07T06:03:07","slug":"dji-will-pay-30k-to-the-man-who-accidentally-hacked-7000-romo-robovacs","status":"publish","type":"post","link":"https:\/\/www.newsbeep.com\/ie\/333315\/","title":{"rendered":"DJI will pay $30K to the man who accidentally hacked 7,000 Romo robovacs"},"content":{"rendered":"<p class=\"duet--article--dangerously-set-cms-markup duet--article--standard-paragraph _1ymtmqpi _17nnmdy1 _17nnmdy0 _1xwtict1\">On Valentine\u2019s Day, I brought you <a href=\"https:\/\/www.theverge.com\/tech\/879088\/dji-romo-hack-vulnerability-remote-control-camera-access-mqtt\" rel=\"nofollow noopener\" target=\"_blank\">a story that\u2019s since made headlines all around the world<\/a>: How one man, just trying to steer his DJI robot vacuum with a PlayStation gamepad, discovered an entire network of 7,000 remote-control DJI robots ready to let him peek into other people\u2019s homes.<\/p>\n<p class=\"duet--article--dangerously-set-cms-markup duet--article--standard-paragraph _1ymtmqpi _17nnmdy1 _17nnmdy0 _1xwtict1\">To be clear, DJI had already begun addressing some of the related vulnerabilities before the man, Sammy Azdoufal, showed The Verge just how much he could access. But it wasn\u2019t clear whether DJI would pay him for his discovery, particularly after <a href=\"https:\/\/www.theverge.com\/2017\/11\/20\/16669724\/dji-bug-bounty-program-conflict-researcher\" rel=\"nofollow noopener\" target=\"_blank\">how it treated security researcher Kevin Finisterre back in 2017<\/a> \u2014 or how soon DJI might fully patch the additional vulnerabilities that Azdoufal discovered.<\/p>\n<p class=\"duet--article--dangerously-set-cms-markup duet--article--standard-paragraph _1ymtmqpi _17nnmdy1 _17nnmdy0 _1xwtict1\">Today, we have some of the answers.<\/p>\n<p class=\"duet--article--dangerously-set-cms-markup duet--article--standard-paragraph _1ymtmqpi _17nnmdy1 _17nnmdy0 _1xwtict1\">DJI will pay Azdoufal $30,000 for one single discovery, according to an email he shared with The Verge, without specifying which discovery it\u2019s paying him for. Though DJI is not naming Azdoufal, it confirms to The Verge it has \u201crewarded\u201d an unnamed security researcher for their work.<\/p>\n<p class=\"duet--article--dangerously-set-cms-markup duet--article--standard-paragraph _1ymtmqpi _17nnmdy1 _17nnmdy0 _1xwtict1\">DJI would also not tell us which discovery it\u2019s paying him for, but says it has already addressed the extra vulnerability Azdoufal found where someone can view a DJI Romo video stream without needing a security pin. \u201cWe can confirm that the PIN code security observation was addressed by late February,\u201d reads a statement provided by DJI spokesperson Daisy Kong.<\/p>\n<p class=\"duet--article--dangerously-set-cms-markup duet--article--standard-paragraph _1ymtmqpi _17nnmdy1 _17nnmdy0 _1xwtict1\">You might be wondering: What about the vulnerability that seemed so bad we refused to describe it in our original story? DJI tells me it\u2019s working on that one too: \u201cWe have also started upgrading the entire system. This includes a series of updates, which we anticipate will be fully implemented within one month.\u201d<\/p>\n<p class=\"duet--article--dangerously-set-cms-markup duet--article--standard-paragraph _1ymtmqpi _17nnmdy1 _17nnmdy0 _1xwtict1\">DJI has also published <a href=\"https:\/\/viewpoints.dji.com\/blog\/security-and-continuous-improvement-romos-path-forward\" rel=\"nofollow noopener\" target=\"_blank\">a public blog post today<\/a> about strengthening the DJI Romo\u2019s security, one where it continues to claim that it discovered the original issue itself, while also crediting \u201ctwo independent security researchers\u201d for finding the same problem.<\/p>\n<p class=\"duet--article--dangerously-set-cms-markup duet--article--standard-paragraph _1ymtmqpi _17nnmdy1 _17nnmdy0 _1xwtict1\">There, DJI seems to be suggesting that everything\u2019s already resolved with the Romo: \u201cUpdates have been deployed to fully resolve the issue.\u201d But again, there wasn\u2019t just one vulnerability, and DJI told The Verge that it could take as long as another month.<\/p>\n<p class=\"duet--article--dangerously-set-cms-markup duet--article--standard-paragraph _1ymtmqpi _17nnmdy1 _17nnmdy0 _1xwtict1\">In the blog post, DJI also says that the Romo already has ETSI, EU, and UL certifications for security \u2014 which may raise questions about how useful those certifications really are if one guy with Claude Code could access an entire network full of robovacs! \u2014 and that it will continue to test, patch, and submit the Romo and its app to independent third-party security audits.<\/p>\n<p class=\"duet--article--dangerously-set-cms-markup duet--article--standard-paragraph _1ymtmqpi _17nnmdy1 _17nnmdy0 _1xwtict1\">DJI writes that it is \u201ccommitted to deepening our engagement with the security research community, and we will soon introduce new ways for researchers to partner and collaborate with us.\u201d<\/p>\n","protected":false},"excerpt":{"rendered":"On Valentine\u2019s Day, I brought you a story that\u2019s since made headlines all around the world: How one&hellip;\n","protected":false},"author":2,"featured_media":333316,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[61,60,43,216,80],"class_list":{"0":"post-333315","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-technology","8":"tag-ie","9":"tag-ireland","10":"tag-news","11":"tag-tech","12":"tag-technology"},"_links":{"self":[{"href":"https:\/\/www.newsbeep.com\/ie\/wp-json\/wp\/v2\/posts\/333315","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.newsbeep.com\/ie\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.newsbeep.com\/ie\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/ie\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/ie\/wp-json\/wp\/v2\/comments?post=333315"}],"version-history":[{"count":0,"href":"https:\/\/www.newsbeep.com\/ie\/wp-json\/wp\/v2\/posts\/333315\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/ie\/wp-json\/wp\/v2\/media\/333316"}],"wp:attachment":[{"href":"https:\/\/www.newsbeep.com\/ie\/wp-json\/wp\/v2\/media?parent=333315"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.newsbeep.com\/ie\/wp-json\/wp\/v2\/categories?post=333315"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.newsbeep.com\/ie\/wp-json\/wp\/v2\/tags?post=333315"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}