A software engineer accidentally discovered a serious security vulnerability in a robot vacuum system, which gave him access to data from nearly 7,000 devices in 24 countries. While using a video game controller to control a new robot vacuum, the developer created his own application for remote control. In the process of working with AI-based software, he figured out how the device communicates with the company's cloud servers. It turned out that the credentials that allowed him to control his robot also granted access to the live camera feed, audio recordings from microphones, maps, and status data from thousands of other devices. This vulnerability revealed a massive network of internet-connected robots that, in the wrong hands, could have turned into surveillance tools without the owners' knowledge. Fortunately, the engineer did not exploit the vulnerability for malicious purposes and shared his discovery with The Verge, which in turn contacted the company to report the flaw. The company confirmed the issue and stated that it has already fixed it with two automatic updates, planning to introduce additional security improvements. The robot vacuum at the center of the vulnerability is the DJI Romo model, priced at around $2,000 and about the size of a large dog or a small refrigerator.
