Sometimes you hear people complain about how we’re “too connected” to the internet and “not everything needs to be online.” These people are right. We have refrigerators, cars, washers and dryers, and even vacuums that are hooked up to the internet. It’s maddening the extent to which smart devices and online connectivity have taken things. More than that, it’s actually kind of dangerous. If that sounds like hyperbole, just ask the man who found mistakenly found himself in control of an army of robot vacuums.
Sammy Azdoufal was a man with a simple wish. He had purchased a DJI robot vacuum. About the size of a mini fridge, the cleaning bot uses cameras and mapping technology to understand a home’s layout and uses that information to plan its cleaning routine. It also has a microphone, presumably to take audio commands, and is connected to the internet so you can command it virtually and make sure it’s taking care of cleaning duties while you’re away. Sammy wanted to take things into his own hands a bit more and wanted to be able to control the robot himself using a gaming controller. Not too big of a want, right?
To achieve this, Sammy had to construct his own app that could communicate with the DJI cloud to effectively commandeer his own robot. He did this but apparently the security token that was needed to validate his own device also worked for everyone else’s. Or to put it another way, instead of validating him as the owner of one device, it validated him as the owner of about 7,000 devices. This wouldn’t be the worst thing in the world if it wasn’t for all those camera and microphone feeds and home layouts. It’s all of the sensitive details that you wouldn’t want exposed to a stranger and has the potential to be incredibly invasive.
Fortunately, Azdoufal realized how problematic this could be and reported this massive security loophole to The Verge and then the information got back to DJI. Imagine instead, if this has been something from the government or a malicious hacker; this would be absolutely devastating in terms of the amount of information it could collect on people. Maybe this is a sign that taking a break from online connectivity is healthy and not every device we own needs to be part of a larger network.
DJI stated that the security flaw has been fixed and there’s no reason to not believe them. But what’s to stop another flaw from being found or someone creating a new one? Just something to think about the next time you introduce something into your home with a camera and microphone, especially if it doesn’t really need to have either of them.
