Unauthorized access to this data is a powerful tool for pressure on apartment and house owners.
Spanish programmer Sammy Azdufal, while trying to connect a game controller to his robotic vacuum cleaner, unexpectedly gained access to nearly seven thousand similar devices in 24 countries. The story was described by Popular Science.
The device in question is the DJI Romo - an autonomous robotic vacuum cleaner that rolled off the assembly line in China last year and is gradually appearing for sale worldwide. The device costs around two thousand dollars, is equipped with cameras, microphones, and a navigation system, and can create a map of an apartment.
Azdufal is not an ordinary developer; he heads the digital technology and artificial intelligence promotion department at Clinitex. Sammy wanted to create his own app for remotely controlling the vacuum cleaner via a PS5 gamepad. To do this, he analyzed how the device interacts with the cloud servers of the manufacturer DJI using an AI assistant and attempted to obtain an access token - a digital key confirming the owner's right to control the equipment.
However, instead of verifying a single device, the servers mistakenly granted him administrator rights for thousands of other robots.
He was able to see live feeds from the vacuum cleaners' cameras, access audio from their microphones, and view floor maps. The IP addresses allowed him to determine the approximate location of the homes.
DJI stated that they identified the vulnerability at the end of January and fixed it with two automatic updates released in early February.
This story once again highlights the dangers that smart home devices can pose. Robotic vacuum cleaners, surveillance cameras, and video doorbells collect data in the most private areas of homes. Most often, the information is stored on cloud servers that can be accessed remotely.
- The story with the robotic vacuum cleaner is indicative because it highlights the scale of vulnerabilities in global systems. One incorrectly configured authorization mechanism - and the user effectively becomes the administrator of an entire army of vacuum cleaners around the world, - notes information security specialist Stanislav Chepanin. - Manufacturers of household appliances are focused on speed of product release and variety of functions, rather than building a reliable security architecture. Many adhere to the rule: 'First convenience, then security.' Meanwhile, devices operate around the clock, often have excessive access rights, and retain data in the cloud longer than necessary.
Cameras, motion sensors, microphones, smart locks, and robotic devices collect megabytes of information about each of us.
- Unauthorized access to this data is a powerful tool for pressure on apartment and house owners, their blackmail, and robberies. For special services, including foreign ones, the Internet of Things also simplifies life, - adds Chepanin.
In 2024, unknown individuals hacked Ecovacs vacuum cleaners and programmed them to broadcast racist insults. A year ago, Dreame brand robotic vacuum cleaners were hacked. At that time, hackers gained access to the cameras.
Similar stories have occurred with Ring camera smart doorbells. A hacker managed to breach a camera that was installed in the room of an 8-year-old American girl in Tennessee. The man trolled the girl, made racist insults, and played music. Fortunately, the girl's mother quickly turned off the gadget.
<iframe width="446" height="793" src="https://www.youtube.com/embed/wojXalua9Qc" title="How Smart Devices Spy on Us" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" referrerpolicy="strict-origin-when-cross-origin" allowfullscreen></iframe>
