Asger Risom
A cloud permissions bug in DJI’s $2,000 Romo robot vacuum could have allowed access to cameras, microphones, and home floor plans across thousands of devices before the company issued a fix.
A developer has uncovered a security flaw in the DJI Romo ecosystem that could have exposed the cameras and microphones of roughly 7,000 devices across 24 countries.
The vulnerability, discovered by developer Sammy Azdoufal, stemmed from a cloud permissions bug that allowed access to data from multiple robots using a single authentication token. DJI says it has since fixed the issue.
How the flaw worked
While building a custom controller for the $2,000 DJI Romo vacuum, Azdoufal found that the same authentication token could grant access to multiple user accounts — not just the device it was meant to control.
Because of incorrect server-side verification, the system effectively treated the token as a master key. That meant someone could:
- View live camera feeds
- Activate microphones
- Check device status
- Access 2D floor plans of users’ homes
By analyzing IP addresses, it was also possible to estimate device locations.
Azdoufal said he did not exploit the vulnerability to collect user data and instead reported it. He brought the matter to The Verge, which contacted DJI for comment.
DJI responds
DJI confirmed the vulnerability, saying it identified the issue in its DJI Home system in late January.
According to the company, it began corrective action immediately. A first patch was deployed on February 8, followed by a second update on February 10. The fix was distributed automatically to users.
DJI also announced “further security enhancements,” though it did not disclose specific details.
Privacy concerns around smart homes
The incident adds to broader concerns about privacy and security in smart home devices.
Robot vacuums and other connected home products operate inside private living spaces and often include cameras, microphones, and mapping technology. According to Parks Associates, around 54 million US households had at least one smart home device as of 2020 — a number that has likely grown since.
The issue also lands amid ongoing scrutiny in the US over data security risks tied to certain Chinese technology manufacturers, with lawmakers from both parties raising concerns in recent years.
DJI Romo expansion
The DJI Romo debuted in China last year and is gradually expanding to other markets. Priced at around $2,000, the device includes a docking station, multiple sensors, and autonomous navigation features, while allowing remote control via a companion app.
While DJI says the vulnerability has now been fixed, the discovery highlights how a single backend flaw can potentially turn everyday smart home devices into powerful surveillance tools — without owners ever knowing.
Sources: The Verge, Popular Science
