Your Token Proves Who You Are, Not What You Own

Sammy Azdoufal's attempt to control his DJI Romo robot vacuum with a PlayStation 5 controller revealed a significant security vulnerability within DJI's system, highlighting the distinction between authentication and authorization. While Sammy successfully authenticated his device with a valid token, he discovered that he had access to thousands of vacuums globally due to a lack of proper authorization measures, which should restrict token access to specific resources. This oversight in DJI's MQTT message broker allowed any valid token to access data from any device, demonstrating a common failure mode known as Broken Object Level Authorization (BOLA). The incident underscores the need for robust authorization protocols in IoT platforms, where device management is often centralized, and the potential for misuse is amplified. The vulnerability, which was resolved quickly after Sammy reported it, serves as a cautionary tale about the importance of designing separate and secure authentication and authorization systems to prevent unauthorized access and protect user data.