DJI to Pay Researcher After Romo Vacuum Hack

DJI is reportedly set to pay security researcher Sammy Azdoufal after his discovery exposed a worrying level of remote access across its Romo robot vacuum line. Azdoufal first drew attention when he used a PlayStation controller to steer a Romo and realized he could connect to a network of devices that allowed camera access in people's homes.

The revelation sparked concern because the issue could let outsiders peek into private living spaces. DJI had already begun patching some related bugs before Azdoufal's demonstration, but his work highlighted how widespread and easily reachable some devices remained.

Company responses to independent security research have been uneven in the past, which made observers question whether DJI would reward Azdoufal for his findings. This time, however, DJI appears to be offering compensation, signaling a more cooperative approach to handling third-party vulnerability reports.

From a technical standpoint, the problem centered on how Romo devices handled remote-control protocols and authentication, creating opportunities for unauthorized connections when defaults or weak protections were present. Fixes have focused on strengthening authentication, locking down remote access endpoints, and pushing firmware updates to affected units.

For owners, the immediate takeaway is to ensure their Romo vacuums are updated and to follow any official guidance from DJI about securing networked devices. The episode also reminds smart-home buyers to weigh privacy and security in addition to features and price.

While compensation for researchers isn't a universal solution, this development could encourage more coordinated disclosure among security researchers and manufacturers, potentially reducing the window of exposure for vulnerable consumer devices.