BTC
$0.00
0.00%
I never thought that an ordinary evening could turn into a spy story that would later become known around the world. A story that is very strange, but at the same time very simple, which I first had to tell the company's security service employees, and now you.
Moreover, it is not difficult to imagine what would have happened if my software, after passing authentication, had unexpectedly gained access to the keys of crypto wallets around the world — just like robot vacuum cleaners. I would have been able to not only see the data, but also control other people's funds belonging to strangers around the world. But let me tell you everything in order.
I was sitting in my room trying to master my new DJI Romo vacuum cleaner, which combines drone technology (LiDAR, binocular vision) and video surveillance. Simply put, I wanted to play around a little, not clean. And when I started my vacuum cleaner, data from another device appeared in front of me. And then another and another. And in a few minutes, I was already seeing 6,700 robots from around the world, each with its own serial number, IP address, battery status, and even a map of the premises. In other words, I had access to thousands of other people's homes and their cameras.
At one point, I became an invisible observer in hundreds of apartments in Asia, Europe, North America, and elsewhere.
Although I didn't hack these robots on purpose — my authentication key was simply recognized by the DJI server as a universal key. Now imagine that instead of robot vacuum cleaners, this system contained accounts and crypto wallets — each with hundreds or hundreds of thousands of dollars in various digital currencies!
I was horrified when I imagined how little time it would take to withdraw hundreds of millions in an unknown direction — after all, attackers could quickly transfer ether, bitcoins, or other tokens to third-party addresses. Fortunately, however, this was only a hypothetical scenario. In reality, I was faced with millions of images of home interiors and vacuum cleaner movements, not cryptocurrency account keys.
I immediately disabled my app, returned DJI's access, and wrote to the company about the vulnerability. I was almost called a criminal, even though I was just trying to use the device to clean my room.
However, it seems that the company learned its lesson — after all, when it comes to private data or digital assets, one mistake can cost much more than you can imagine!
After the Romo story, I thought I had put an end to this strange story. Yes, this is the very same sensational story when I tried to master my new DJI Romo robot, which combines drone technology and video surveillance, and hacked robotic devices around the world. But the real intrigue began later, when my friend, an analyst at Chainalysis, called me and asked if I was sure that my case was a coincidence. I should note that we had previously met at digital security conferences in San Francisco and Las Vegas, where we talked about phishing, hacking methods and techniques, and already hacked crypto wallets.
He said that their systems had detected strange activity: synchronized attempts to access several thousand crypto wallets, which had one thing in common — the use of third-party services with centralized authentication. Moreover, there were no visible signs of a direct hack. Only a weak link between the user and the server. I agreed to tell him everything I knew about this and the already well-known story of how I accidentally hacked 6,700 devices.
We met offline. On the table was a laptop with lists of transactions, timestamps, and IP clusters. Some of the routes led to infrastructure previously linked to the Lazarus Group, a group known for attacks on crypto exchanges and DeFi projects. There was no direct evidence. But the coincidences were too interesting.
I realized that if the Romo vulnerability had affected crypto wallets instead of robot vacuum cleaners, the scenario would have been catastrophic: the system would have recorded the movement of funds. At the same time, private keys would have been lost irretrievably. It is noteworthy that users would have blamed exchanges, manufacturers, and software developers. But the real reason was errors in the access architecture.
We did not publicize our further actions. Instead, I forwarded the technical findings to the security team, and a patch appeared within a few days. I was informed by letter that specialists were already testing the next security system to prevent the emergence of a phenomenon called the “universal key.”
In the digital world, crime rarely starts with hacking. Most often, it starts with one convenient solution that works “too well for all locks.” And sometimes it can all start with turning on the controller of a regular vacuum cleaner. That's exactly what happened to me recently.
