Ingenieur erhält 30.000 US-Dollar für die Aufdeckung einer Schwachstelle bei 7.000 Roboterstaubsaugern – der Bastler wollte seinen Roboterstaubsauger einfach nur mit einem PS5-Controller steuern

    https://www.tomshardware.com/tech-industry/cyber-security/engineer-receives-usd30-000-for-exposing-a-vulnerability-affecting-7-000-robot-vacuum-cleaners-tinkerer-just-wanted-to-drive-his-robot-vacuum-with-a-ps5-controller

    Share.

    8 Kommentare

    1. He exposed them for having a camera AND microphone he gained access to. Yikes

    2. AdQuirky3186 on

      How do you even implement a security flaw that shares a single auth key with 7,000 other devices? They forgot to remove a dev-only key used for testing? Their key generation had 7,000 collisions? Doesn’t make any sense.

    3. The second I read DJI I knew me this was never a “vulnerability”. It was a planned backend with the intention of surveillance and mass data harvesting. They gave him 30k to shut up about it because they got caught.

    4. CoronaMcFarm on

      Smart devices should not be allowed to be connected to any external servers for this reason.

    5. this is the most accidental bounty hunter story ever and i love it. dude just wanted to drive his roomba with a ps5 controller and stumbled into a $30k payday.

      but seriously the shared auth key thing is wild. 7,000 devices with the same key basically means anyone who figured it out had access to cameras and mics in thousands of homes. whether that’s incompetence or intentional is almost irrelevant — the outcome is the same.

      also $30k for a vuln that exposed 7,000 devices with cameras and microphones feels… low? that’s like $4.28 per household’s privacy. bug bounties are still massively undervalued compared to what that data would be worth on the black market

    Leave A Reply