Asger Risom
A developer building a custom controller for his DJI Romo vacuum discovered a cloud security flaw that gave him access to live feeds and data from nearly 7,000 robot vacuums across 24 countries.
A software engineer trying to steer his $2,000 robot vacuum with a gaming controller instead found himself with access to thousands of devices around the world.
Sammy Azdoufal was building a custom controller for his DJI Romo vacuum when he uncovered a cloud security flaw that exposed live feeds and data from nearly 7,000 devices across 24 countries.
A token that unlocked thousands of homes
While reverse-engineering how the Romo communicates with DJI’s servers, Azdoufal discovered that the same authentication token used to access his own vacuum also granted access to many others.
According to reporting by Popular Science and The Verge, the flaw allowed him to:
- View live camera feeds
- Activate microphones
- Access status data
- Retrieve 2D floor plans of homes
- See approximate device locations via IP addresses
Rather than exploiting the vulnerability, Azdoufal reported it. DJI said it identified the issue through internal review in late January and deployed patches on February 8 and February 10. The fix was pushed automatically to users.
“DJI identified a vulnerability affecting DJI Home through internal review in late January and initiated remediation immediately,” the company told Popular Science, adding that it plans to implement additional security enhancements.
Azdoufal has said he did not hack the system, but simply stumbled onto the issue while building his app.
The privacy risks of connected home robots
The DJI Romo launched in China last year and is expanding internationally. Like many modern robot vacuums, it relies on cameras and sensors to map homes and navigate rooms. Some of that data is stored remotely on company servers rather than solely on the device.
The episode highlights broader concerns about smart home privacy. Internet-connected vacuums, cameras, and assistants operate inside private living spaces, collecting sensitive data by design.
As Popular Science notes, lawmakers in the US have long raised concerns about Chinese-made tech products, including DJI devices. More broadly, cybersecurity experts have warned that internet-connected robots could become attractive targets for hackers.
The market for smart home devices continues to grow. Parks Associates estimated that 54 million US households had at least one smart home device installed as of 2020 — and adoption has continued to rise.
Meanwhile, companies including Tesla and Figure are racing to bring more advanced humanoid robots into homes, raising further questions about data access and oversight.
In this case, the vulnerability was patched before any known abuse. But the incident underscores how a simple coding experiment nearly turned a fleet of cleaning robots into a global surveillance network.
Source: Popular Science, The Verge
