Spanish engineer reports flaw in ‘smart’ vacuums after gaining control of 7,000 devices

Original article by Eric Berger

A Spanish software engineer reportedly contacted a New York-based tech outlet recently to reveal he had remotely taken control of about 7,000 vacuums worldwide, in the process shedding light on a broad vulnerability with smart products, according to a cybersecurity expert.

The Verge reported that the situation came to light when Sammy Azdoufal was trying to reverse-engineer his new DJI Romo vacuum so that he could control it with his Playstation 5 gamepad.

Azdoufal soon discovered that when his self-styled remote control app started communicating with DJI’s servers, “it wasn’t just one vacuum cleaner that replied. Roughly 7,000 of them, all around the world, began treating Azdoufal like their boss.”

Azdoufal found that he could look and listen through the vacuums’ live camera feeds and collected more than 100,000 messages from the devices. He could also use any robot’s internet protocol – or IP – address to determine its approximate location.

Azdoufal reportedly said he was not trying to hack into other devices. And, in fact, he contacted the Verge to inform the publication of the vulnerability.

DJI reported – and others confirmed – that it has since solved the problem.

But Azdoufal, who is listed as the head of artificial intelligence at a property management and travel group in Spain, is not alone in discovering such a flaw among smart products. Other similar episodes illustrate that for some manufacturers of such products, “security is a bit of an afterthought”, said Alan Woodward, a professor of computer science at England’s University of Surrey.

“There is this idea that you move fast and break things, and you have got to innovate to be in the market, to be the cheapest, to have new features,” Woodward said in an interview on Tuesday. “But the trouble is, the lesson was learned very early on in software development, that if you do that, you will end up with security vulnerabilities.”

The smart device industry has grown significantly in recent years. And the smart home market is projected to hit $139bn by 2032, the research firm MarketsandMarkets reports.

While people purchase such devices to make their lives easier, hackers have paradoxically also had an easier time invading people’s privacy. In addition to the vacuums, hackers have been able to control lighting systems, locks, security cameras, a baby monitor and a heating system, according to a study in the Journal of Information Security and Applications.

In the case of the vacuums, Azdoufal could gain control of them because the credentials for his device allowed him to access the others.

Companies can avoid this issue by forcing consumers to establish their own passwords before using a product for the first time, Woodward said.

Manufacturers also need to ensure that people designing, building and writing software are “fully aware of how security can be compromised”, Woodward said. “It’s not just somebody writing one element of the software.

“It’s ‘How does the software on, in this case, the vacuum cleaner, interact with the server, interact with your phone?’”

Consumers should also consider whether the potential benefits of a smart device outweigh the privacy risks, Woodward said.

“Just because you can doesn’t mean you should,” he said.

DJI thanked Azdoufal on X for reporting the vulnerability.

“Your responsible feedback is extremely valuable to us,” the company stated.

In a misspelled post, Azdoufal also announced on the platform: “You can officially call me ‘the vaccum guy’ you can’t imagine how many free vaccum people offering me. Damn.”