Man Accidentally Hacks an Army of 7,000 Robot Vacuums, Able to Access Video Feeds Within People’s Homes

A regular guy over in Spain tried to hack his own vacuum cleaning robot, but instead he accidentally hacked into 7000 different vacuum robots, giving him direct access to the live video feeds within people's homes across 24 different countries.

Basically, he discovered a back door within these Chinese robots, which meant that if you happen to have one of these vacuums in your home, he, as well as anyone else who knew about this special feature, could literally see inside of your home through the camera lens that was at the very top of the unit.

Let's go through the details of this case together, because even though, I mean, beyond this particular brand of robot, it also exposes the broader risk of outfitting our homes with all these different smart devices that are constantly listening in, monitoring, as well as physically watching us.

We assume that there's no human on the other end, but more and more anecdotal cases are showing us that there are.

And before we dive into it, if you would do me a favor and smash those like and subscribe buttons, that way the YouTube algorithm will pick up this episode and share with every more people I would greatly appreciate it.

So, to start with, the overview of how this robot takeover happened in the first place, it came across my desk in the form of an article within popular science magazine.

It was titled Man Accidentally Gains Control of 7000 Robot Vacuums.

If you happen to want to read that full original account, I will link that article down in the description box below.

Now, the robot in question here is a DJI brand, Romo Vacuum Robot. Now, DJI is a popular Chinese brand known for their civilian drones.

But recently, they began to manufacture these autonomous home vacuums as well. And they're not cheap. They retail for about $2,000.

And the way that they work is they basically collect data from around your house, creating a virtual map of the floor plan in order to clean it.

Quote, like other robot vacuums, it's equipped with a range of sensors that help it navigate its surroundings and detect obstacles.

In order for the Romo, or really any modern autonomous vacuum, to function, it needs to constantly collect visual data from the building it is operating it.

It also needs to understand specific details about what makes say a kitchen different from a bedroom, so it can distinguish between the two.

Some of that sensor data is stored remotely on DJI servers rather than on the device itself.

In short, it means that the data collected by the onboard sensors that don't just live within the robot, some of it lives in the server on the cloud.

Now users can control the vacuum using an app on their phone, but the selling point is the fact that it can function pretty much autonomously.

It both cleans and mobs the floors all by itself. Also, apparently, the app is not really user friendly, which is exactly where our story begins.

You had a Spanish man by the name of Sammy Asdefall. He bought one of these robots and he didn't like the functionality of the app.

Instead, he wanted to be able to control it using his PS5 controller, sort of like those RC cars where he used to play with his kids, he wanted to control it that way.

And this individual, Sammy, was actually well suited for trying to do this.

He leads the AI strategy at a vacation home rental company, so he knows at least a bit about computers.

And secondly, he himself had a clawed bot. That's one of those AI chat bots that basically serve as a personal assistant.

And once you tell them what to do, they can do things semi-autonomously. And here is what happened.

Quote, while building his own remote control app using an AI coding assistant to help reverse engineer how the robot communicated with DJI's remote cloud server,

he soon discovered that the same credentials that allowed him to see and control his own device also provide an access to live camera feeds, microphone audio, maps, and status data from nearly 7,000 other vacuums across 24 countries.

And that right there is why I really love this story. It truly exposes the new dangers that we are living with in this AI world.

Because without writing a single piece of code, this man over in Spain simply asked his AI chatbot assistant to make an app so he can use his PS5 controller to guide his vacuum.

For that idea to work, the chatbot had to find a way for this app that it's building to communicate with DJI servers and extract a security token which basically proves that the chatbot and Sammy are the legitimate owners of the vacuum.

However, instead of just verifying a single token, the DJI servers granted access to thousands of robots.

Essentially, the mistake in their system allowed Sammy to be treated by the system as the legitimate owner of upwards of 7,000 vacuums across 24 different countries.

And this was no joke because it basically allowed him to basically become a fly on the wall in people's homes.

So, that slip-up meant Sammy could tap into their real-time camera feeds and activate their microphones.

He also claims he could compile 2D floor plans of the homes that the robots were operating in.

A quick look at the robot's IP addresses also revealed their approximate locations.

None of this, Sammy insists, amounts to hacking on his part, he simply stumbled upon a major security issue.

Truly insane, he basically gained access to the video feeds, the floor map layouts, the microphones, as well as the ability to remotely control the robots himself.

Now, fortunately for us, Sammy was not a bad actor and he did report his findings immediately.

He shared what he found with a reporter over in the verge who then reached out to DJI.

And for their part, DJI put out a statement claiming to fix the issue with an automatic software update,

two of them that were automatically applied, you didn't even have to do anything on your own part if you own a robot.

DJI identified a vulnerability affecting DJI home through internal review in late January and initiated a remediation immediately.

The issue was addressed through two updates, with an initial patch deployed in February 8th and a follow-up update completed on February 10th.

The fix was deployed automatically and no user action is required.

Which sounds good, however, according to that report from the verge, that is not really the full case because there are still several vulnerabilities, one of which is so bad, they're keeping it secret, which to this day remain unresolved.

As the fall says that even now, DJI has not fixed all the vulnerabilities he's found.

One of them is the ability to view your own DJI-romo video stream without needing its security pin.

Another one is so bad, I won't describe it until DJI has more time to fix it.

As of February 17th, DJI tells the verge it will do so within weeks.

Very cool. And obviously, I should mention that the story with this particular robot is a lot more pertinent now that these types of machines are becoming ubiquitous.

I mean, even if you don't happen to own one of these $2,000 DJI brand vacuums, how many other devices are listening or watching in on you right now?

Home camera systems, smart home devices that are pretty much always listening for their activation keywords.

You have smart refrigerators, smart watches, smart toaster ovens, smart glasses.

And actually, on that last point, on the point of smart glasses, there was a report that just came out last week exposing how meta employees over in Kenya claim to be able to see disturbing personal videos through people's meta-smart glasses.

Quote, bank details, sex and naked people who seem unaware they are being recorded.

Behind meta's new smart glasses lies a hidden workforce uneasy about peering into the most intimate parts of other people's lives.

And so, I mean, if you're considering getting any type of new device in your life that has a camera on it, just know about the possibility and the implications of it.

Because a good rule of thumb is that if it has a camera, your image, your video image has the potential to be accessed by somebody remotely.

And actually, to that end, it reminds me of this photo that was published on Facebook by Mark Zuckerberg, roughly 10 years ago.

And it became pretty viral at the time because you can see that on his desk, Mark Zuckerberg puts a piece of tape on the camera over his own laptop.

And so, you can imagine if he's doing that, you can assume that he knows something and that you should probably be doing the same thing.

If you want to read the full account of the man in Spain who is able to hack himself, a little army of robots, I'll throw a link to it.

You can find it down in the description box below right below this like and subscribe buttons, both of which I'm sure you already smashed, but now's another opportunity.

And then lastly, let me know your thoughts because I mean, look, if a guy using a absolutely publicly available clawed bot that anybody can get is able to accidentally stumble upon access to 7,000 different units within 24 different countries.

What about nation states that have teams of hackers, some of the smartest people in the world who's entire jobs are to find basically vulnerabilities.

How many different devices do you think they have access to?

Because again, this is an accident and this guy was a, I guess you can call him a white hat, right? He was a good actor, so he reported it immediately to the public letting everybody know.

But how many, either black hats there are or how many like state, I guess you can call them like the good guys and if they're the Americans, but how about the Chinese, the Iranians, the Russians, the Israelis, the Japanese, people in the UK, like MI5.

How many intelligent services throughout the entire world are working to gain access to the remote video feeds of people around the world and people are being ridiculous by putting literal cameras in their household,

assuming that they can be used, but very, as you can see, very easily they can be accessed in use.

So let me know your thoughts in the comments. You think this is a one off from the Spanish guy that happened to report it to the public or is this just an absolutely widespread phenomenon the only way to avoid getting viewed in your own home is to just not have a camera.

And then on the other hand, who doesn't have a smartphone, so I mean like in that case, I think we're all out of luck.

Let me know your thoughts on it, am I just being too black-filled or am I seeing the world for what it is. Let me know your thoughts in the comments and then until next time, I'm your host, Roman from the Epic Times, stay informed and most importantly, stay free.