DJI tried to pay off a security researcher with roughly $100 after he discovered a vulnerability in its robot vacuum that could let attackers spy on users through the device’s camera and microphone. The researcher, Sammy Azdoufal, refused — and now the whole story is public.
As The Verge reported, Azdoufal and his team at Romo Security found that DJI’s robot vacuums could be compromised to give an attacker real-time access to the onboard camera and microphone. That’s not a minor bug. That’s a full-blown surveillance tool sitting in someone’s living room.
The vulnerability affected DJI’s line of robot vacuums, which the company launched as part of its expansion beyond drones. Azdoufal’s team was able to demonstrate that an attacker could take control of the device’s sensors remotely, effectively turning the vacuum into an eavesdropping platform. The camera feed, the audio — all accessible.
Here’s where it gets insulting.
After Azdoufal responsibly disclosed the vulnerability to DJI through proper channels, the company’s response was to offer him a token payment. About $100, according to reporting from The Verge. For context, serious bug bounty programs at major tech companies routinely pay thousands — sometimes tens of thousands — of dollars for vulnerabilities of this severity. Google’s program has paid out over $12 million in a single year. Microsoft’s bounties for critical issues can reach six figures. A hundred bucks for a flaw that exposes users to live audio and video surveillance is, frankly, an insult to the entire security research community.
Azdoufal turned it down.
And he went public. The decision to disclose isn’t one researchers take lightly. There’s always tension between giving a company time to patch and protecting users who remain exposed. But when a company responds to a serious finding with pocket change and apparent indifference, researchers often feel they have no other option. Azdoufal clearly landed in that camp.
DJI has faced security scrutiny before, though mostly around its drone products. The U.S. government has repeatedly flagged concerns about DJI’s data practices, with multiple federal agencies banning the use of DJI drones over fears that flight data and imagery could be accessible to the Chinese government. The Department of the Interior grounded its entire DJI fleet in 2020. Congress has considered legislation that would effectively ban DJI products from U.S. government use entirely. So the company already operates under a cloud of suspicion when it comes to data security and privacy.
A robot vacuum vulnerability fits uncomfortably into that narrative. These devices map your home. They carry cameras — ostensibly for navigation and obstacle avoidance — and microphones for voice commands. When those sensors can be hijacked remotely, the privacy implications are severe. You’re not just losing control of a gadget. You’re handing someone a window into your private space.
The broader robot vacuum market has dealt with similar issues. In 2022, MIT Technology Review reported that intimate images captured by iRobot’s Roomba development devices ended up on social media, raising alarm about how vacuum camera data gets handled. Ecovacs faced its own security reckoning when researchers demonstrated vulnerabilities in its Deebot line that could allow remote camera access, as TechCrunch covered in 2024. The pattern is clear: companies are shipping camera-equipped home robots without adequately securing them.
What makes the DJI situation particularly galling is the response, not just the vulnerability. Every company ships bugs. That’s reality. The measure of a company’s security posture is how it handles disclosure. Offering a researcher $100 for a critical privacy flaw signals that DJI either doesn’t understand the severity or doesn’t care. Neither interpretation is reassuring for the millions of people with DJI products in their homes.
For industry professionals, the takeaways are straightforward. If you’re deploying connected devices with cameras and microphones in any environment — residential, commercial, enterprise — the attack surface is real and growing. Bug bounty programs that underpay researchers don’t just damage corporate reputation; they actively discourage the responsible disclosure that keeps users safe. And companies expanding from one product category into another, as DJI did from drones to vacuums, don’t always bring their security infrastructure along for the ride.
DJI hasn’t publicly commented in detail on the specifics of Azdoufal’s findings or its bounty offer. The company’s silence speaks volumes.
So does $100.
Pingback: DJI Offered a Hacker $100 to Keep Quiet About a Robot Vacuum Security Flaw. He Said No. – AWNews