On Valentine’s Day (February 14), security researcher Sammy Azdoufal demonstrated that a PlayStation gamepad could be used to access a network of roughly 7,000 DJI Romo robot vacuums, exposing live streams from other people’s devices. DJI has since acknowledged the report and, in a message shared with The Verge, confirmed it has rewarded a researcher with $30,000 for a finding related to the incident. The company says one specific PIN bypass was fixed by late February and that broader system upgrades are underway, with full deployment expected within about a month. Questions remain about which exact discovery earned the reward and whether all related issues are fully resolved.
Key Takeaways
- Researcher Sammy Azdoufal demonstrated remote access to an estimated 7,000 DJI Romo devices on February 14, using a PlayStation controller to explore exposed streams.
- DJI confirmed it has paid an unnamed researcher $30,000; the company has not specified which vulnerability the payment covers.
- DJI told The Verge that the PIN-code bypass allowing view-only access to Romo streams was addressed by late February.
- DJI published a public blog post crediting “two independent security researchers” alongside its own discovery and saying updates have been deployed.
- The company said it plans a broader upgrade of the Romo system, with a phased rollout that DJI expects to complete within about one month.
- DJI highlighted existing ETSI, EU and UL security certifications for Romo even as the episode raises questions about how those certifications are applied.
- DJI also said it will expand engagement with the security research community and pursue independent third-party audits of the Romo and its app.
Background
Romo is DJI’s household robot platform that includes a mobile app, remote-control capability, and an optional video feed. As consumer robots and Internet-connected appliances multiply, so do concerns about default security settings, authentication, and how device identity and streaming are handled. Researchers often test these systems and sometimes discover gaps that enable unauthorized access to cameras or controls.
The incident touched a raw nerve because it echoed prior friction between security researchers and vendors. In 2017, DJI faced criticism for how it handled the reporting of a security researcher, Kevin Finisterre, and that episode has been cited when observers wonder whether companies will reward or penalize finder disclosures. Since then, many device makers have developed formal bug-bounty programs and partnerships with outside testers to reduce both risk and public friction.
Main Event
On February 14, Azdoufal used a standard PlayStation gamepad to control a Romo device and discovered he could enumerate and connect to thousands of other Romos that were reachable on DJI’s backend. The initial Valentine’s Day demonstration showed extensive visibility into remotely hosted streams and controls, prompting rapid attention from journalists and security specialists. Azdoufal shared evidence of his findings with The Verge and later provided an email showing DJI had offered a monetary reward.
DJI responded publicly by issuing a blog post and direct statements. The company confirmed to The Verge that it has “rewarded” an unnamed security researcher with $30,000, but declined to state which particular finding the payment covered. DJI separately told reporters that a specific PIN-bypass observation that allowed viewing a Romo video stream without a security PIN had been fixed by late February.
Beyond the PIN issue, DJI acknowledged additional vulnerabilities and said it had begun an upgrade of the entire Romo system. The company signaled that multiple patches and a staged rollout are required, and it estimated the whole process could take up to one month to complete. DJI also reiterated that it holds ETSI, EU and UL security certifications for Romo and pledged continued third-party audits.
Analysis & Implications
The episode exposes the gap that can exist between device certifications and real-world deployment. Certifications such as ETSI and UL assess products against defined standards, but they may not account for complex back-end interactions or edge-case behaviors that become visible only after large-scale usage or adversarial probing. The discovery of thousands of reachable devices suggests access-control logic and cloud authentication deserve renewed scrutiny.
For consumers, the practical risk is privacy invasion: remote-viewing a household robot’s camera without consent undermines trust in in-home connected devices. Even if a vulnerability only allowed view-only access, the optics and potential for escalation to control functions create urgent pressure for vendors to push timely updates and clear communication to users about mitigations.
From a policy and industry perspective, the case strengthens arguments for standardized disclosure practices and better collaboration between manufacturers and the security community. DJI’s decision to pay a $30,000 reward and commit to independent audits is a step toward that model, but the lack of transparency about which finding the payment covers limits the episode’s value as a case study in best practices.
Comparison & Data
| Item | Date / Value |
|---|---|
| Public demonstration by Azdoufal | February 14 (Valentine’s Day) |
| Approximate devices reachable | ~7,000 Romo units |
| Bounty paid | $30,000 (one researcher, unnamed) |
| PIN bypass fix | Addressed by late February |
| Full system upgrade ETA | Estimated within one month of company statement |
The table summarizes concrete, reported data points. The numbers above are drawn from DJI’s statements to The Verge and the demonstration details Azdoufal shared publicly. While the count of devices is approximate, it illustrates the scale of exposure alleged in the demonstration.
Reactions & Quotes
DJI has provided short, public statements acknowledging the issues and describing remediation steps; those statements aim to reassure customers while emphasizing ongoing fixes and third-party audits.
“We can confirm that the PIN code security observation was addressed by late February.”
Daisy Kong, DJI spokesperson (official statement)
DJI’s public messaging also reiterated that it discovered the initial problem internally and credited two outside researchers for finding the same issue, suggesting overlapping discovery timelines and shared investigation.
“Updates have been deployed to fully resolve the issue.”
DJI blog post (official corporate post)
The researcher who went public said he demonstrated extensive visibility into other devices and that he shared his findings with reporters. His disclosure prompted the company to reward a researcher and accelerate some fixes, though DJI declined to name the recipient of the bounty.
“I showed how a controller could be used to reach many devices and, in response, DJI has rewarded a researcher and begun system-wide upgrades.”
Sammy Azdoufal (researcher, summary of demonstration)
Unconfirmed
- Which specific discovery DJI’s $30,000 payment covers has not been publicly confirmed by the company.
- The full technical details and exploitability of the undisclosed vulnerability that The Verge initially withheld remain restricted pending vendor remediation.
- Whether all affected Romo devices have successfully received the staged upgrades cannot be independently verified at this time.
Bottom Line
The incident highlights both the persistent privacy risks of connected home devices and the evolving dynamics between security researchers and manufacturers. DJI’s $30,000 reward and its pledge of system upgrades and independent audits are constructive moves, but the company’s partial disclosure leaves questions about transparency and the completeness of remediation.
For users, the immediate takeaway is to apply published updates as they become available and to review device privacy settings. For vendors and regulators, the case strengthens calls for clearer disclosure rules, routine third-party testing, and faster, documented patch rollouts to reduce user exposure.