The Vulnerability in DJI’s Cloud Infrastructure Exposes Thousands of Homes

A recent discovery by software engineer Sammy Azdoufal has uncovered a major security flaw in DJI’s cloud infrastructure, potentially exposing thousands of robot vacuum devices worldwide. The vulnerability, reported by The Verge, allowed access to a fleet of roughly 7,000 devices across 24 countries, raising concerns about the security of connected home devices.

The incident has sparked fresh discussions about the need for robust security measures in IoT (Internet of Things) devices, particularly those that rely on cloud infrastructure. While DJI claims that the issue has been fixed and no user data appears to have been misused, the episode highlights the importance of responsible disclosure and bug bounty programs in identifying and remediating vulnerabilities.

A Simple Experiment Turned into a Major Discovery

Azdoufal’s discovery began with an experiment to control his DJI ROMO robot vacuum using a PlayStation 5 controller instead of the standard smartphone app. To achieve this, he built a custom controller interface that would communicate with DJI’s cloud systems. Like many connected devices, the robot vacuum verifies ownership through a security token that authenticates commands sent from the user’s device.

To extract the token and understand how authorization worked, Azdoufal began reverse-engineering the process used by DJI’s cloud backend. He reportedly used an AI coding tool to help analyze the system. What he found surprised him – instead of granting access only to his own vacuum, the backend validation process allowed much broader permissions. The system effectively opened a door to thousands of devices connected to the same cloud infrastructure.

Potential Consequences

The vulnerability meant Azdoufal could see data tied to roughly 7,000 DJI ROMO vacuums worldwide. Because the robot vacuums include built-in cameras and microphones, the vulnerability also allowed potential access to live camera feeds and audio streams. Additionally, the system stored mapping information created by the vacuums as they cleaned homes, which could be used to generate 2D floor plans of houses where these devices were operating.

Furthermore, the backend reportedly exposed the IP addresses associated with the homes, which could potentially reveal approximate geographic locations. This raises concerns about the potential for misuse of this data, particularly if it falls into the wrong hands.

DJI’s Response

DJI has offered a slightly different timeline for how the vulnerability was discovered and fixed. According to the company, it identified a backend validation issue involving the DJI Home app in late January during a routine internal security review. The issue affected the new ROMO robot vacuum product as well as certain DJI power stations.

Two independent security researchers later reported the same vulnerability through DJI’s bug bounty program, contributing to the remediation process. The company says that updates have already been deployed to fix the issue, stating, “Technology is not static; it is constantly evolving, and security must evolve with it.”

However, some uncertainty surrounds the $30,000 reward promised by DJI to an unnamed researcher for one of the discoveries reported. While DJI confirmed that it had compensated a researcher, the company did not specify which particular finding qualified for the payout.

Bug Bounty Programs: A Vital Component of Cybersecurity

Bug bounty programs are commonly used in the tech industry to encourage independent researchers to responsibly disclose vulnerabilities instead of exploiting them. Companies then reward researchers depending on the severity of the bug. DJI’s program has been active for nearly a decade, with over 300 security researchers submitting reports regarding potential vulnerabilities across its platforms.

The importance of responsible disclosure cannot be overstated. By identifying and reporting vulnerabilities, researchers help companies like DJI to strengthen their security measures and prevent potential misuse of their products. In this case, Azdoufal’s discovery was reported responsibly, and his efforts are being recognized by DJI with a significant reward.

Security Still a Top Priority for DJI

DJI emphasized that it has invested heavily in strengthening the security of its ecosystem over the years. The company maintains a dedicated product security team, conducts regular architecture and code reviews, and performs end-to-end penetration testing to identify potential vulnerabilities. It also follows coordinated disclosure practices and deploys automatic patches when needed.

The ROMO product line itself has already received multiple security certifications, including ETSI EN 303 645, EU RED requirements, and UL Solutions Diamond IoT Security certification. DJI plans to continue submitting its products – including ROMO and the DJI Home app – to independent third-party security audits.

A Broader Reality: The Need for Robust Security Measures in Smart Homes

The vulnerability in DJI’s cloud infrastructure highlights a broader reality of the modern smart home. Devices like robot vacuums, security cameras, and smart speakers rely heavily on cloud infrastructure, and any weakness in that infrastructure can have wide-reaching effects.

For consumers, this episode serves as a reminder of the importance of robust security measures in connected devices. While DJI has taken steps to address the vulnerability, it underscores the need for companies to invest in their security capabilities and engage with independent researchers to identify and remediate potential vulnerabilities.

In conclusion, the discovery of the vulnerability in DJI’s cloud infrastructure serves as a wake-up call for companies to prioritize security in their IoT devices. By embracing responsible disclosure and bug bounty programs, companies can strengthen their security measures and prevent potential misuse of their products. As we move forward with the development of more connected devices, it is essential that we prioritize robust security measures to protect our homes and personal data.

Original Source

• Read the full article here