DJI Pays $30,000 Bounty to Engineer Who Accidentally Hacked 7,000 Robot Vacuums

What Happened

DJI has awarded a $30,000 bug bounty to a security researcher who accidentally discovered a critical vulnerability in the company's Romo line of robot vacuums — one that gave him control over approximately 7,000 devices worldwide. The researcher, who originally set out to modify his own Romo vacuum to work with a PlayStation 5 controller, stumbled upon a server-side authentication flaw that inadvertently granted him access to the control systems of thousands of other users' devices.

The vulnerability, which has since been patched, existed in the cloud communication layer between Romo devices and DJI's servers. By exploiting a misconfigured API endpoint, the researcher was able to send commands to any Romo vacuum connected to the internet — including starting cleaning cycles, accessing camera feeds, and retrieving mapping data of users' homes. The researcher immediately reported the vulnerability to DJI through responsible disclosure channels rather than exploiting it maliciously.

Office 2024 Pro Plus

Word, Excel, PowerPoint + more. 3 Devices.

$29

Buy Now →

Windows 11 Pro

Professional Edition. 3 Devices.

$29

Buy Now →

Office 365 Lifetime

5 Devices. Lifetime Account.

$29

Buy Now →

Visio 2024 Pro

Professional Diagramming. 3 Devices.

$29

Buy Now →

Project 2024 Pro

Project Management. 3 Devices.

$29

Buy Now →

Win 11 + Office Bundle

Win 11 Pro + Office + Visio + Project

$49.99

Buy Now →

DJI has confirmed that no user data was compromised by malicious actors and that the vulnerability was patched within 48 hours of the researcher's report. The company has also announced an expanded bug bounty programme for its consumer robotics products and committed to a third-party security audit of the Romo platform.

Background and Context

The Internet of Things (IoT) security landscape has been plagued by vulnerabilities since the category's inception. Robot vacuums are particularly sensitive IoT devices because they typically include cameras, microphones, and detailed mapping capabilities — creating a comprehensive surveillance tool if compromised. Previous security incidents have affected products from Ecovacs, iRobot, and Roborock, making robot vacuum security a recurring concern for privacy advocates.

DJI, best known for its dominant position in the consumer drone market, entered the robot vacuum space with the Romo line in 2024. The company leveraged its expertise in autonomous navigation and computer vision to create a competitive product, but the transition from drone to home robotics introduced new security challenges. Drones operate primarily outdoors in unpopulated airspace, while robot vacuums operate inside people's homes, dramatically raising the privacy stakes of any security failure.

The bug bounty ecosystem has matured significantly in recent years, with most major technology companies offering financial rewards for security researchers who discover and responsibly disclose vulnerabilities. DJI's $30,000 bounty for the Romo vulnerability is substantial and signals the company's recognition of both the severity of the flaw and the importance of maintaining researcher goodwill.

Why This Matters

This incident highlights the systemic security challenges facing the smart home industry. Robot vacuums, smart speakers, security cameras, and other connected devices are accumulating in homes at an unprecedented rate, but the security of these devices varies dramatically between manufacturers. A single vulnerability can expose thousands or millions of users to privacy violations, making IoT security a consumer protection issue as much as a technical one.

The fact that this vulnerability was discovered accidentally — by a hobbyist tinkerer rather than a dedicated security researcher — underscores how accessible some IoT vulnerabilities are. If a casual user can stumble upon a flaw that exposes 7,000 devices, professional threat actors with greater resources and motivation are almost certainly finding and potentially exploiting similar vulnerabilities in other IoT products.

For consumers, the incident is a reminder that every internet-connected device in their home is a potential attack surface. The security practices of the device manufacturer — not just the features and price — should be a primary purchasing consideration. Similarly, ensuring that desktop and laptop devices are running properly secured operating systems with a genuine Windows 11 key is essential for a comprehensive home network security posture.

Industry Impact

The robot vacuum industry, which has grown into a multi-billion dollar market, faces increasing scrutiny over security practices. DJI's response — paying a significant bounty, patching quickly, and commissioning third-party audits — sets a positive precedent, but the existence of such a fundamental vulnerability in a product from a major manufacturer raises questions about the security standards across the entire category.

Regulatory bodies in both the US and EU are likely to cite incidents like this in support of mandatory IoT security standards. The EU's Cyber Resilience Act, which requires connected products to meet baseline security requirements, is already in implementation. Similar legislation is advancing in the US, and high-profile IoT vulnerabilities accelerate the political momentum for regulation.

Bug bounty platforms and managed security services for IoT manufacturers could see increased demand. Companies that specialise in testing smart home devices for vulnerabilities have a growing market opportunity as manufacturers recognise that their in-house security teams may not catch every flaw. Organisations managing fleets of devices — both IoT and traditional computing — benefit from comprehensive security practices, including ensuring all workstations run properly licensed productivity software to maintain security update eligibility.

Expert Perspective

IoT security researcher Dennis Giese, who has extensively studied robot vacuum vulnerabilities, noted that the DJI Romo incident is 'depressingly common in the IoT space,' describing server-side authentication flaws as one of the most frequently occurring vulnerability categories in connected devices. The root cause — improper API authentication — is a well-understood security issue that should be caught during standard security review processes, suggesting that DJI's product security testing for the Romo line was insufficient at launch.

However, DJI's response has been praised as exemplary. The 48-hour patch turnaround, the generous bounty payment, and the commitment to third-party audits demonstrate a level of accountability that many IoT manufacturers have historically lacked. If this response becomes the industry standard rather than the exception, consumer IoT security could improve significantly.

What This Means for Businesses

Organisations deploying IoT devices in workplace environments — including robot vacuums in office spaces, smart building systems, and connected conference room equipment — should review their IoT security policies. Devices that map interior spaces, capture audio or video, or connect to corporate networks introduce risks that traditional endpoint security doesn't address. Network segmentation, regular firmware updates, and vendor security assessments are essential for enterprise environments deploying connected devices.

Companies in the IoT space should invest in comprehensive bug bounty programmes and regular third-party security audits. The cost of a bounty programme is trivial compared to the reputational and legal costs of a security breach, and the DJI incident demonstrates that responsible disclosure can actually enhance brand trust when handled well.

Key Takeaways

• DJI pays $30,000 bounty for accidental discovery of vulnerability affecting 7,000 robot vacuums
• Flaw allowed remote access to device controls, cameras, and home mapping data
• Vulnerability patched within 48 hours of responsible disclosure
• Incident highlights systemic IoT security challenges across the smart home industry
• EU and US regulatory momentum for mandatory IoT security standards accelerating
• DJI's response praised as exemplary model for IoT manufacturer accountability

Looking Ahead

DJI's expanded bug bounty programme and third-party audit commitment should produce improved security for future Romo firmware updates and product releases. The broader IoT industry is moving toward mandatory security certification, and incidents like this accelerate that transition. Consumers should expect to see security ratings and certifications become a standard part of smart home product marketing within the next two to three years, similar to energy efficiency labels on appliances.