DJI Pays $30,000 Bounty for Discovery of Mass IoT Hack
DJI, the world’s largest drone manufacturer, has paid a $30,000 bug bounty to a security researcher who discovered a vulnerability affecting a broad class of internet-connected robot vacuums, the company confirmed on Monday.
The flaw allowed what researchers described as a mass compromise of robot vacuum systems, potentially enabling attackers to access camera feeds, microphone data, and home network traffic from devices equipped with AI assistants. DJI’s security advisory, published on March 5, classified the vulnerability as high severity.
Bug bounty programmes typically reward findings in the $1,000 to $10,000 range for significant vulnerabilities. The $30,000 payment signals the severity of the finding and the company’s concern about the implications for its expanding line of smart home devices.
DJI entered the robot vacuum market in 2023, leveraging its expertise in robotics and computer vision to compete with established players like iRobot, Roborock, and Ecovacs. The company positioned its devices as premium options with advanced AI-powered navigation. The security incident represents a test of whether that AI-first approach introduces new attack surfaces.
Security researchers noted that the vulnerability highlighted systemic weaknesses in the consumer IoT ecosystem. Many robot vacuums ship with default network configurations that prioritise functionality over security, and firmware update mechanisms vary widely across manufacturers.
The disclosure arrives amid heightened scrutiny of connected devices in the home. Consumer advocates have raised concerns about the data collection practices of AI-powered home gadgets, particularly devices with cameras and microphones that can capture sensitive household moments. This is the first reported mass hack involving robot vacuums with integrated AI assistants, though previous IoT botnets have compromised millions of cameras, doorbells, and smart speakers.
DJI has released a firmware patch addressing the vulnerability and is urging customers to ensure their devices are running the latest software version. The company did not disclose how many devices were affected or whether the vulnerability was exploited in the wild before disclosure.
—
Sources:
—