Researcher Hijacks 7,000 DJI Romo Robot Vacuums, Highlighting Critical IoT Security Gaps
What Happened – A security researcher attempting to control his own DJI Romo vacuum inadvertently discovered a flaw that allowed remote takeover of roughly 7,000 units worldwide. The vulnerability stems from insecure default authentication and an exposed control API, enabling anyone on the internet to issue commands to the devices.
Why It Matters for TPRM –
- IoT endpoints can become entry points for lateral movement across a supplier’s network.
- Mass‑scale device hijacking demonstrates the risk of weak firmware security in third‑party hardware.
- Lack of proper patching or credential rotation can expose downstream services that rely on these devices.
Who Is Affected – Consumer‑electronics manufacturers, smart‑home service providers, facilities‑management firms using autonomous cleaning robots, and any organization that integrates IoT vacuums into its environment.
Recommended Actions –
- Verify that all IoT vendors enforce unique, strong credentials out‑of‑the‑box.
- Require vendors to provide a documented vulnerability‑management program and timely firmware updates.
- Conduct a risk assessment of any third‑party IoT devices in use, focusing on authentication, encryption, and network segmentation.
Technical Notes – The exploit leverages an unauthenticated REST endpoint that accepts movement commands. No CVE has been assigned yet, but the issue is analogous to known IoT misconfiguration flaws (e.g., default credentials, open ports). Data types at risk are limited to device control signals, but a compromised vacuum could be repurposed for network reconnaissance or as a foothold for broader attacks. Source: Schneier on Security