DJI Awards $30,000 Bug Bounty After Security Researcher Accidentally Gained Access to 7,000 Robot Vacuums

What Happened

DJI, the Chinese technology giant best known for its dominance in the consumer drone market, has agreed to pay a $30,000 bug bounty to Sammy Azdoufal, the security researcher who inadvertently discovered he could remotely access approximately 7,000 DJI Romo robot vacuum cleaners through a critical security vulnerability. The payout marks a significant shift in DJI's approach to security researchers, following years of criticism over how the company handled vulnerability disclosures.

Azdoufal's discovery began innocuously enough — he was simply attempting to control his own DJI robot vacuum using a PlayStation gamepad when he stumbled upon an exposed MQTT messaging protocol that connected him to thousands of other DJI robotic vacuums. The vulnerability effectively gave him the ability to remotely control the devices, including accessing their onboard cameras, which could have allowed an attacker to peer into the homes of thousands of unsuspecting users.

Office 2024 Pro Plus

Word, Excel, PowerPoint + more. 3 Devices.

$29

Buy Now →

Windows 11 Pro

Professional Edition. 3 Devices.

$29

Buy Now →

Office 365 Lifetime

5 Devices. Lifetime Account.

$29

Buy Now →

Visio 2024 Pro

Professional Diagramming. 3 Devices.

$29

Buy Now →

Project 2024 Pro

Project Management. 3 Devices.

$29

Buy Now →

Win 11 + Office Bundle

Win 11 Pro + Office + Visio + Project

$49.99

Buy Now →

The story, first reported in February 2026, quickly became a global headline as it highlighted the growing security risks associated with internet-connected home devices. DJI had already begun addressing some of the related vulnerabilities before Azdoufal demonstrated the full extent of access possible, but questions remained about whether the company would compensate him for his responsible disclosure, particularly given DJI's troubled history with security researchers.

Background and Context

DJI's relationship with the security research community has been fraught with tension. In 2017, the company faced significant backlash after its handling of security researcher Kevin Finisterre, who discovered vulnerabilities in DJI's systems and was reportedly threatened with legal action under the Computer Fraud and Abuse Act despite participating in what he believed was a legitimate bug bounty programme. That incident cast a long shadow over DJI's security disclosure practices and discouraged many researchers from reporting vulnerabilities to the company.

The robot vacuum market has exploded in recent years, with dozens of manufacturers competing for market share in a space that was essentially created by iRobot's Roomba. DJI entered the market with its Romo line as part of a broader strategy to leverage its expertise in robotics, computer vision, and autonomous navigation beyond drones. However, the rush to add internet connectivity and camera systems to household appliances has created a sprawling attack surface that many manufacturers have been slow to adequately secure.

The MQTT protocol that Azdoufal exploited is widely used in IoT devices for lightweight messaging between devices and servers. When properly configured with authentication and encryption, MQTT is reasonably secure. However, misconfigurations, default credentials, and inadequate access controls remain common across the IoT landscape, turning what should be a reliable communication protocol into a potential gateway for unauthorised access.

Why This Matters

This incident crystallises the security risks that millions of consumers unknowingly accept when they bring internet-connected devices into their homes. A robot vacuum with a camera is essentially a mobile surveillance platform, and when the security protecting that platform fails, the consequences extend far beyond a malfunctioning appliance. The fact that a single researcher could accidentally gain access to 7,000 devices suggests that more sophisticated attackers with malicious intent could potentially compromise far more.

DJI's decision to pay the bounty is encouraging, but the $30,000 figure itself raises questions about the valuation of critical IoT vulnerabilities. In the commercial exploit market, a vulnerability chain providing remote access to thousands of devices with cameras would command significantly more. The relatively modest bounty, while welcome, may not provide sufficient incentive for researchers to choose responsible disclosure over selling to brokers or government buyers who would pay multiples more.

For businesses and consumers evaluating smart home and office technology, this incident underscores the importance of purchasing from manufacturers with demonstrated commitments to security. Organisations deploying IoT devices in corporate environments should implement network segmentation to isolate these devices from sensitive systems, conduct regular firmware audits, and maintain inventories of all connected devices. Ensuring that computers and workstations accessing these networks run fully updated operating systems with a genuine Windows 11 key adds another critical layer of network security.

Industry Impact

The DJI robovac incident is likely to accelerate regulatory pressure on IoT manufacturers to implement baseline security standards. The European Union's Cyber Resilience Act, which is being phased in through 2027, will require manufacturers of products with digital elements to meet specific cybersecurity requirements throughout the product lifecycle. Similar legislation is being considered in the United States and other jurisdictions, driven in part by high-profile incidents exactly like this one.

For the robot vacuum industry specifically, the incident serves as a wake-up call. Companies like iRobot, Ecovacs, Roborock, and others will face increased scrutiny from consumers and reviewers regarding their security practices. Camera-equipped robot vacuums, which use visual mapping for more efficient navigation, are particularly sensitive because a security breach doesn't just expose device functionality — it exposes the physical layout and daily activities within people's homes.

The broader IoT security industry stands to benefit from increased awareness and spending. Managed security service providers, IoT-specific security platforms, and network monitoring tools that can detect anomalous device behaviour are all positioned for growth as enterprises and consumers alike grapple with the security implications of an increasingly connected world.

Expert Perspective

IoT security researchers have long warned that the pace of device deployment far outstrips the pace of security investment. The average smart home now contains dozens of connected devices, each representing a potential entry point for attackers. The DJI incident is notable not because it revealed a novel attack vector, but because it demonstrated how easily a well-intentioned user could stumble onto a massive security flaw that professional security teams should have caught during development and testing.

Industry analysts note that DJI's decision to pay the bounty, while belated, represents progress. Bug bounty programmes only work when researchers trust that companies will respond in good faith, and DJI's improved handling of this disclosure may encourage other researchers to report vulnerabilities rather than ignoring them or selling them on grey markets. However, the company still has work to do in rebuilding trust after its 2017 controversy.

What This Means for Businesses

Companies deploying robot vacuums, security cameras, smart displays, or any other IoT device in office environments need to treat these devices as potential security liabilities. Basic hygiene includes placing IoT devices on isolated network segments, regularly checking for and applying firmware updates, disabling unnecessary features like remote camera access, and monitoring network traffic for unusual patterns.

For organisations managing distributed workforces, the home IoT security challenge extends to remote workers whose home networks may harbour vulnerable devices that share the same network as corporate laptops and VPN connections. Providing employees with guidance on IoT security and ensuring corporate devices are properly configured with up-to-date affordable Microsoft Office licence and enterprise productivity software that receives regular security patches is essential.

Key Takeaways

• DJI will pay $30,000 to the researcher who accidentally accessed 7,000 robot vacuums through an MQTT vulnerability
• The incident highlights systemic security weaknesses in the IoT and smart home device industry
• Camera-equipped robot vacuums pose particular privacy risks when security controls fail
• IoT devices in corporate environments should be isolated on separate network segments
• DJI's improved response to researchers marks progress but the $30,000 bounty may undervalue the severity of the flaw
• Upcoming regulations like the EU Cyber Resilience Act will impose mandatory security requirements on IoT manufacturers

Looking Ahead

The DJI bounty payment sets a positive precedent, but the underlying security challenges in the IoT industry remain enormous. As robot vacuums, smart speakers, and connected appliances become more sophisticated and more deeply integrated into daily life, the potential consequences of security failures will only grow. Manufacturers who invest proactively in security-by-design principles and maintain transparent relationships with the research community will be best positioned to maintain consumer trust in an increasingly sceptical market.