Sammy Azdoufal found a master key in his DJI vacuum that gave him control of all 7,000 devices sold

market your business on MongoDB? Don't just build AI, own the data platform that powers it. And without further ado, we have Sam. Welcome to the show.

How are you doing?

Hi everyone. How are you doing tonight?

Thank you so much for joining.

Vacuum guy, how's your week been? Were you expecting to go this viral?

Well, not really because it's been like three days I make the I discovered the bridge.

Yeah.

So, it's interesting is pop up now.

Yeah.

Wait, how many you said?

Did you say two years?

No, 20 days. Sorry.

20 days. 20 days. Okay. Break down. Why did you start hacking on on your DJI vacuum? Give us the full kind of chain of events.

Okay. Well, I I I don't even try to hack it.

Um it was just um let's say side project. Uh when I I saw my little guy cleaning uh my living room and me playing uh on my PS5, um my brain just make some association stuff and and and I was like, "Okay, what if I could uh drive my boy with uh my PS5 controller?"

Yeah.

So, what I do what I do what I did um I take the DJI app because DJI have a like official app called DJI Home. Um and I try to understand what's happen when uh my robovac uh move when it go straight when left and turn right. change the data between my uh vacuum and DJI cloud and try to replicate it with my PS5 controller and after maybe 1 hour uh I have something uh working uh like I could drive it with uh my PS9 controller but I want to go like uh further like um if my little guy have less than 30 uh% of battery I want to hear him cry. Right. So

you feel pain.

So I need to drive the battery status

like the percentage of my battery. So I uh continue my reverse engineering of the DJI home app

and find out um like uh how to do it, how to ask about the battery status. I do it. But what I received uh is not like oh your robot is like 80% of battery.

I got tons of data like a lot of battery status. I I I didn't understand. Um so I take this big chunk of data. It was a lot. Um I open my uh CL code send the file and just asking him like what's going on explain him what I trying to do. and and if there's something I did wrong like why I have this data and he answer to me like okay um it's not just for the device there have thousand of others so I take a little bit of time to process this well because it's AI of course I double check I try to manual read like my big log file um the data from the vacuum was sent back to me when I asked it about the the battery status and yeah it was not it it wasn't just my device so for me it was like okay I have a key my own user key let me control my robot

it look like my key I can open other doors than mine so my software the software I built to control my robot and also drive the u the full stream video and microphone from the vacuum. I have like some uh environment variable like the thing you can change just to make a software working with another device. So I have two stuff like here and the serial number

of the device. So I was just like okay I just need to change the device serial number and put another one and maybe it's going to work. Um it happened that I have a friend who is uh as stupid as me to buy this uh vacuum and I just asked him his uh number.

Yeah.

So he gave it to me perform some test and yes everything work. I saw everything. I hear him and I can control him control his uh his robot with a really low latency which is great. And um so we was like a little bit shocked about what we saw. Um so I start to check um DJ GI program. They have one.

Yeah.

But everything is in Chinese when you go to the website. I was a little bit confused like it's just for Chinese citizen and even the reward it was it was in the in the local currency of China. So I I just tweet about it like hey I'm not a Chinese citizen. can I apply for? I didn't have like any answer. So, uh I applied but in English to the program and um no one answer to me. Uh I was

like you weren't supposed to. That's not a bug.

Yes, that's a feature.

It seems like it.

So, so they So, I was a little bit frustrated about it. So I start live tweeting about what I discover. I didn't uh show how I did. I just show some data I can have that I can retry from DJI club. Um they finally answer to me but just because I arrest them on on Twitter by DM um and they say okay thank you uh we're going to check that and and be back to you as soon as possible. They come back to me probably one day after um uh telling me, "Okay, um we saw the issue and we fix it. Thank you for everything."

But they didn't fix the problem. Um I

Wait, so by this by this point you you have full access and control over 7,000 individual devices? Uh to be more precise, it was 7,000 uh vacuum and 3,000 DJI power. Um it's like their battery pack or something like that and and connected to internet apparently because I have access to it. Um but yeah, it was around 10,000 devices.

And how did you get the serial numbers for those again? Like uh I imagine that they've sold more than 7,000. So what what made the ones that actually were showing up for you different than the ones that you couldn't access?

Can you repeat or raise it? Sorry.

So uh I understand how you had your serial number and your key which turned out to be the master key and your friend sent you his serial number and then you were able to control his robot vacuum cleaner. But if I have one of these and you don't know my serial number, how do you get access to it?

Unfortunately, DJI gave it to me uh without any keys. Like if I take my own user key

Yeah.

and plug it to the um um to the MQTT protocol of DJI. Um I see everything. So I didn't have to guess the certain number of everyone. I just saw the data like clear. Um

wow. uh device x6 x6x6x6x6x6x6x6x6x6x6x start cleaning for example

and like yeah so I didn't have to h encrypt or crack anything everything was clear

and so oh sorry excuse me

no no no this is fascinating that uh that all of that data was just because that's actually two different vulnerabilities like one is the the network topology and the other is the access key and you would expect that both would be locked down or at least one, but the fact that both of them were um were uh were were available to you is uh very disconcerting.

Yes. And so just after that,

yeah,

after I don't I'm not going to say they they lie about fixing it and not fixing it, but

they probably just fix some stuff, but not everything. Uh I was uh talking with the verge uh who who start to contact me when I live tweet him what I discovered. So we plan to do a demo and uh during the time we planned to do it and the real demo it's like two days happened and uh during this time DJI released another fix which work

but like not really it's worked to I I can I can retrive anymore the camera uh the stream video

I can retrive the microphone uh from other users. is like protected now. And during the demo, I still have access to all of others data.

I still have access to the 3D map plan, Magma Pro plan, sorry

because um this uh this vacuum have tons of sensors and they need like a 3D map of where you live to make sure you know where to go when you need to clean. So I got this I still got this data and uh yeah and the full telemetric system of DJI um we do we perform the demo with the with the verge and and one day after uh no more access to others data

everything was

what a what a remarkable story thank you for sharing it with us

yeah how uh as like do you think that um how much confidence does does this give you that like the DJI drones that they've sold millions of uh could have uh do you think they're more locked down or do you think this could be kind of a companywide issue?

I don't know. But that the last thing about this story um they still have two major issue. We decide with the version not disclose it publicly

because it's kind of bad and I can't talk a lot about it.

We try to play a fair game with the company.

Yeah. like, okay, we give you a little bit of time. We know this bridge is not as easy to fix as the first one, but they still have to major issue. And indirectly, like really indirectly, you can still have um access to stream to stream video from other users.

That's crazy.

That's so insane. Do you know how many any idea how many of these vacuums they've actually sold? Have they published any of that data? 7,000.

Oh. Oh, so they've only sold 7,000. I got access to all.

I was assuming that you had you had you had only gotten access to a

uh kind of like a subsection.

Seems like you got them all.

You got them all.

They didn't separate a region. It was like a whole bucket like a bucket with the whole whole devices.

Product and there aren't that many out there. So, uh absolutely wild stuff.

It's just insane. I I hope that they're contacting customers who have them in their homes and letting them know that, hey, by the way,

might have been spied on by some

anybody on the entire planet.

It's a data breach. It's like it's like they because unless they can prove that you were the first and only person to ever access to this and you didn't go further, uh then they have an unknown uh you know, liability here that they should disclose. So, uh, we'll be very interesting to see how they respond, but but thank you for, uh, the citizen journalism, the the the activism.

Yeah, it sounds like you're handling it in the in the right way and, uh, looking forward to whatever you discover next. We'll be we'll be following along. It's great to meet you.

Have a great rest of your day.

Cheers.

We'll talk to you soon. Let me tell you about Phantom Cash. Fund your wallet without exchanges or middlemen and spend with the Phantom Card. And let me also tell you about Cognition. They're the makers of Devon, the AI software