# DJI Robot Vacuum Data Breach: How One Hacker Exploited a Vulnerability in 7,000 Devices
In a disturbing incident that highlights the importance of cybersecurity awareness, a lone hacker gained remote access to around 7,000 DJI Romo robot vacuums worldwide using a PlayStation 5 controller. The vulnerability was exploited by Sammy Azdoufal, who built a custom app that connected to DJI's global servers, allowing him to see inside people's homes over the internet.
DJI released the Romo last year, leveraging its extensive drone technology, including obstacle-detection imaging and binocular fisheye vision sensor. However, this advanced technology came at a cost – security vulnerabilities. Azdoufal's app was able to connect to DJI's servers using a private token from his own Romo device, granting him access to pre-production DJI servers as well. This level of access is concerning, especially since the hacker did not break any rules or bypass security measures.
The Verge reported on this incident earlier this month, and it has raised questions about the security of home technology devices. As one publication noted, people who put a camera into their home expect that data to be protected, both in transit and once it reaches the server. Unfortunately, this is not always the case. The DJI Romo has been identified as having security vulnerabilities, which DJI claims will be resolved in "weeks."
To understand how Azdoufal exploited these vulnerabilities, we need to delve into the technical details of the incident.
The DJI Romo uses a proprietary app to connect to its devices and the internet. This app is designed to allow users to control their robots remotely using a smartphone or tablet. However, this same app also provides access to the device's camera system, allowing users to see inside their homes over the internet. Azdoufal discovered that by using a PlayStation 5 controller, he could connect to DJI's global servers and gain remote access to the Romo vacuum systems worldwide.
The hacker built a custom app that utilized the PS5 controller's capabilities to control the DJI Romo. This app was able to connect to DJI's servers using a private token from Azdoufal's own device, allowing him to bypass security measures. He also demonstrated that he could use an individual robot's IP address to track down its approximate location.
One of the most concerning aspects of this incident is that it highlights the importance of cybersecurity awareness in home technology devices. As one publication noted, "people who put a camera into their home expect that data to be protected." However, as we have seen with the DJI Romo, this expectation is not always met. The fact that Azdoufal was able to exploit security vulnerabilities without breaking any rules or bypassing security measures only adds to the concern.
DJI has already taken steps to address these vulnerabilities, and it is reassuring that the company is taking proactive measures to resolve the issue. However, the incident serves as a reminder that cybersecurity is an ongoing process and requires constant vigilance from device manufacturers and users alike.
As we move forward in the world of home technology devices, it is essential that we prioritize security and take steps to protect our personal data. The DJI Romo incident may seem like a isolated case, but it highlights the broader risks associated with connected devices and the importance of cybersecurity awareness.
In conclusion, the DJI Romo robot vacuum data breach serves as a wake-up call for device manufacturers and users alike. It highlights the need for ongoing security testing and vigilance in the face of emerging technologies. As we look to the future of home technology devices, it is essential that we prioritize security and take steps to protect our personal data.