A hobbyist's weekend experiment with a brand-new robot vacuum accidentally exposed one of the most startling smart-home security failures in recent memory - giving him live access to cameras, microphones, and home floor plans from nearly 7,000 strangers' houses across 24 countries.
Sammy Azdoufal, a tech strategist, used an AI coding assistant to build an app to link his new DJI Romo vacuum to a PS5 controller. Then he noticed something strange - the app wasn't just controlling his vacuum. It was controlling thousands. "I found my device was just one in an ocean of devices," he told The Verge.
The vulnerability allowed access to sensitive device data, including live video feeds from the robot's onboard camera, microphone audio, and detailed home mapping data from across the globe.
The technical failure was almost comically basic. DJI's MQTT message broker - the server that handles communication between the devices and the cloud - had no topic-level access controls. Once a user authenticated with a single device token, they could see traffic from other devices in plaintext.
To demonstrate the flaw's reach, Azdoufal used just a 14-digit serial number to pinpoint a journalist's robot vacuum, confirmed it was cleaning the living room at 80% battery, and produced an accurate map of the house — all from another country.
Azdoufal said he had not hacked DJI's servers and felt he had not broken any rules. Rather than exploit the access, he went public. "People stick to the bug bounty program for money. I don't care. I just want this fixed," he told The Verge.
DJI's response drew criticism of its own. A company spokesperson told The Verge the flaw had been fixed - a statement that arrived about 30 minutes before Azdoufal demonstrated that thousands of robots, including the journalist's own review unit, were still reporting in live. DJI later issued a fuller statement acknowledging a backend permission validation issue and two patches, deployed on February 8 and 10.
Azdoufal said additional weaknesses remain unpatched, including a PIN bypass that allows users to view a DJI Romo video stream without the required security PIN.
Cybersecurity experts say the incident is a warning sign for the entire smart-home industry. AI coding tools are lowering the bar for advanced security probing, significantly enlarging the population of people capable of testing IoT protocols - further eroding any faith in security through obscurity.
This is not the first time a robot vacuum has been turned into an unwitting surveillance tool. In 2024, hackers commandeered Ecovacs Deebot X2 vacuums across U.S. cities, shouting slurs through speakers and chasing pets — a breach made possible because the company's PIN protection was checked only by the app, never by the server or the device itself.
LISTEN on the Audacy App
Tell your Smart Speaker to "PLAY 1080 KRLD"
Sign Up to receive our KRLD Insider Newsletter for more news
Follow us on Facebook | Twitter | Instagram | YouTube