On Valentine’s Day, I bring you a story that has since made headlines all over the world: how a man, trying to operate his DJI robot vacuum with a PlayStation gamepad, discovered an entire network of 7,000 remote-control DJI robots willing to allow him to peek into other people’s homes.
Apparently, DJI had already started addressing some related vulnerabilities before a guy named Sammy Azdoufal showed up. The Verge How far can he reach? But it was unclear whether DJI would pay him for his discovery, especially after his dealings with security researcher Kevin Finisterre in 2017 — or how quickly DJI could fully fix the additional vulnerabilities discovered by Azdofal.
Today, we have some answers.
According to an email he shared, DJI will pay Azdoufal $30,000 for a single discovery The VergeWithout specifying for what search it is paying him. Although DJI is not naming Azdoufal, it does confirm that The Verge It has “rewarded” an unnamed security researcher for his work.
DJI also didn’t tell us what it was paying it to discover, but says it has already addressed the additional vulnerability found by Azdofl, where someone could view DJI Romo video streams without needing a security PIN. “We can confirm that the PIN code security observation was addressed by the end of February,” a statement from DJI spokeswoman Daisy Kong said.
You may be wondering: What about the vulnerability that looked so bad we refused to describe it in our original story? DJI told me it’s working on that too: “We’ve also begun a system-wide upgrade. This includes a series of updates that we anticipate will be fully implemented within a month.”
DJI has also published a public blog post today about strengthening the security of the DJI Romeo, where it continues to claim that it discovered the original issue itself, while also crediting “two independent security researchers” for finding the same problem.
There, everything DJI is suggesting is already Resolved with Romo: “Updates have been deployed to fully resolve the issue.” But then again, there wasn’t just one vulnerability, and DJI pointed out The Verge This may take up to another month.
In the blog post, DJI also says that Romo already has Etsy, EU, and UL certifications for security — which may raise questions about how useful those certifications really are if one person with the cloud code can access an entire network full of robovacs! – And it will continue to test, patch, and submit Romeo and its apps to independent third-party security audits.
DJI writes that it is “committed to deepening our engagement with the security research community, and we will soon introduce new ways for researchers to partner and collaborate with us.”
<a href