DJI paid $30,000 to a person who unintentionally hacked 7,000 Romo robot vacuums

Brief chronology: DJI Romo vulnerabilities and manufacturer response

StageWhat happenedThe company respondedFebruary – discovery of issuesOwners of DJI Romo robot vacuums found several critical weaknesses. One user, attempting to control the device via a Sony PlayStation gamepad, noticed a network of 7,000 remotely controlled robots opening access to video streams from other people's homes.DJI announced its intention to pay a bounty for vulnerability discovery.Public acknowledgmentIn The Verge’s statement it is noted that a user named *Sammy Azdoufal* received $30,000. However the company did not disclose details of the specific flaw and did not mention the name in official documents.DJI emphasized that the vulnerability allowed viewing video streams without entering a PIN code; the fix was implemented by the end of February.More serious issueOne of the discovered bugs turned out to be potentially more dangerous, but its details were not disclosed to the media. In its official blog the company announced plans for “modernizing the entire system” and launched a series of updates that should be fully deployed within a month.Appreciation to researchersDJI noted that the problems were identified independently but expressed gratitude to two independent security specialists for their contribution. The company emphasized its commitment to engaging with the research community and promised to present new collaboration pathways soon.Security certifications and reliability concernsDJI reminded that Romo has ETSI, EU, and UL certificates. Yet one person managed to bypass the security system via the Claude Code service, raising doubts about the real effectiveness of these certificates.In a company statement the commitment to deepen engagement with the security research community is highlighted.

Summary:

DJI paid $30,000 to a user who discovered a vulnerability in Romo’s video stream. At the same time the company began large-scale work on updating and strengthening the protection of its robot vacuums, while acknowledging the need for closer cooperation with independent security researchers. Despite having ETSI, EU, and UL certificates, the fact that 7,000 devices were penetrated raises questions about the real reliability of the implemented protective measures.