Thought for the week: What an accidental hack of robot vacuums can teach us about the next generation of cyberattacks

To begin your week, I recommend reading this Tech Times article on how a programmer accidentally hacked 7,000 DJI robot vacuums using a video game controller. The short summary is that an AI engineer thought it would be fun to manually drive his new DJI Romo vacuum cleaner "like a video game." So, he used the AI coding assistant Claude Code to reverse engineer how the vacuum communicates with DJI's cloud and built a custom app that mapped the vacuum's movement to his video game controller.

Everything was going fine except a backend authentication flaw caused the system to treat his single device token as valid for many other DJI robot vacuums. This allowed him to stream data from roughly 7,000 devices across more than 20 countries. He could apparently view live camera feeds, microphone audio, detailed floor plans and room layouts, battery levels, cleaning status, and device locations. In one exchange with a journalist, he was able to view the journalist's own vacuum cleaning their living room in real time. Upon notification, DJI fixed the flaw, and the vulnerability now appears contained, which is good news. It's also good that we have a somewhat fun incident that helps us pause for a moment and think about the implications connected-device security.

What are the implications for the future of cyberattacks?  

It’s been widely known for many years that connected devices can give rise to cybersecurity risks — perhaps most famously when hackers remotely killed a Jeep on the highway with the reporter at the driver's wheel. And, if you were brave enough to go to the DEF CON hacking conference in Las Vegas around the time this occurred — tip: don't bring your phone to DEF CON — you might have seen a live, on-site demonstration for how they were able to get the job done. My sense is that the vehicle manufacturers have taken these vulnerabilities and risks seriously and do quite a bit to protect consumers from these threats.

But what about other devices? An authentication flaw that treats a single device token as valid for thousands of robot vacuums? Not so good. It does not require a great deal of imagination to work through what cyber risks can be associated with connected devices in the home or for personal use.

Smart cameras and doorbells, voice assistants, ovens and kitchen appliances, thermostats, and more have become fixtures in daily lives. We have seen in recent years where threat actors have gone from double threats, extorting payments to cover decryption keys and return of data, to a third layer of pressure, such as threats to corporate customers of impacted victims. In this context, we could see a variation of that third layer, where the threat actor extorts the victim company on the basis that the threat actor will take some real-world action against the user base, such as turn off the thermostats in winter unless a ransom is paid. Or, perhaps more concerningly, we could see a leveraging of this threat vector to carry out destructive goals associated with nation state and cyber war initiatives.

Is this an area where regulations can come to the rescue? 

This is an area where regulation can help to set some minimum standards to protect consumers and the market. At present, we have industry-specific regulations, such as U.S. Food and Drug Administration guidance implementing statutory authority for cybersecurity in medical devices. We also have some efforts at comprehensive regulatory requirements, e.g., California IoT Security Law (SB-327) that requires manufacturers of connected devices to equip products with reasonable security, and the EU Cyber Resilience Act mandates security-by-design and conformity assessments for software and hardware with digital elements that are sold in the EU. And of course, there's always the threat of general regulatory actions — unfair or deceptive — as well as negligence, breach of contract, and other consumer claims that can be applied to any particular instance. Regulation is more helpful than consumer claims, as regulation can set a clear baseline and give companies something specific to achieve and maintain.

What should companies do? 

Any company that manufactures or distributes hardware or software that is connected with real world devices in homes or consumer hands should incorporate these increasing risks in their overall security assessments and remediation efforts. This includes the manufacturers and distributors of devices in homes that have SIMs or connect to Wi-Fi. It also includes the manufacturers and distributors of devices that connect via Bluetooth to phones, e.g., smart locks, fitness trackers, smart lights, etc. Beyond the substantive security controls, it would be helpful to consider these issues when engaging in contracting on both sides of the house — customers and vendors. It also would also be important to incorporate into tabletop exercises and incident response playbooks to take account of the unique and potentially acute aspects of such incidents.