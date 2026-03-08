A software engineer who unintentionally uncovered a major vulnerability in DJI’s robot vacuum system will receive a reward of $30,000 (around Rs 27.5 lakh). The discovery reportedly allowed him to access thousands of connected devices. The case was first reported by The Verge, which spoke with the engineer and later confirmed the reward with DJI. Also Read: Man accidentally accesses 7,000 DJI vacuums while testing PS5 controller hack

How the discovery happened

The engineer, identified as Sammy Azdoufa, was not initially trying to break into the system. According to The Verge, he was simply experimenting with ways to control his DJI Romo robot vacuum using a PlayStation 5 controller instead of the regular smartphone app. Also Read: Dreame F10 Robot Vacuum Launches in India With Voice Control – Grab At Rs 19,999 During Prime Day Sale

To do that, he started analysing how the device connects to DJI’s cloud servers. During this process, he reportedly found that the backend system granted far more access than intended. Instead of connecting only to his own robot vacuum, the system allowed access to thousands of devices. Also Read: Amazon deals: Top affordable Robot Vacuum Cleaners under Rs 15,000

Reports suggest the issue exposed around 7,000 robot vacuum cleaners across multiple countries.

What the vulnerability exposed

The flaw was linked to DJI’s cloud authorisation system. According to reports, the system did not properly restrict device access after authentication.

Because of this, the engineer was reportedly able to view data from other DJI Romo devices connected to the network. These robot vacuums come with cameras and microphones to help with navigation and monitoring. Due to the flaw, the engineer was able to access live camera feeds and audio from other devices.

Reports also suggest he could see other data linked to the vacuums, including sensor information and the floor maps the devices create while cleaning.

The engineer has said he did not misuse the access and instead chose to report the issue.

DJI’s response and reward

DJI has confirmed that it rewarded Sammy Azdoufal for the discovery. According to an email shared with The Verge, the company agreed to pay $30,000 for one of the vulnerabilities identified.

The company did not specify exactly which discovery qualified for the reward. DJI also said that the issue allowing access to certain video streams without a security PIN had already been fixed earlier this year.

In addition to that fix, the company said it is working on further system updates to strengthen security.

DJI also published a blog post outlining additional measures and said it plans to expand collaboration with independent security researchers going forward.