Security flaw allows man to accidentally gain control of nearly 7,000 robot vacuums

By Admin

25 Feb, 2026

An Unexpected Discovery in Smart Home Technology

A surprising security vulnerability recently came to light involving the DJI Romo robot vacuum. What began as a simple experiment to control a vacuum cleaner using a gaming controller quickly escalated into a global cybersecurity concern.

According to a report by The Verge, a man named Azdoufal, who leads AI strategy at a vacation rental home company, unintentionally gained access to nearly 7,000 robot vacuums across 24 countries.

How the Vulnerability Was Discovered

Azdoufal’s goal was simple   he wanted to control his DJI Romo vacuum using a PS5 gamepad by building his own remote-control app.

To achieve this, he used an AI coding assistant to reverse-engineer how the robot communicated with DJI’s cloud servers. He later revealed that he used Claude Code to understand DJI’s communication protocols.

However, once his homegrown app began communicating with DJI’s servers, something unexpected happened. Instead of only connecting to his own vacuum, nearly 7,000 devices responded   treating him as their authorized owner.

He explained:
“I found my device was just one in an ocean of devices.”

What Access Did He Gain?

The vulnerability granted Azdoufal extensive access, including:

• Live camera feeds
  
  

• Audio listening capability
  
  

• 2D home mapping and floor plans
  
  

• Serial numbers
  
  

• Cleaning status and room details
  
  

• Distance travelled
  
  

• Charging time information
  
  

• Obstacle detection logs
  
  

• IP addresses revealing approximate locations
  
  

In just nine minutes, his laptop catalogued approximately 6,700 DJI devices across 24 countries and collected over 100,000 device messages.

When including DJI Power portable power stations   which also connect to the same servers   the number of accessible devices exceeded 10,000.

Importantly, Azdoufal clarified that he did not hack DJI’s servers. He stated:
“I didn’t infringe any rules, I didn’t bypass, I didn’t crack, brute force, whatever.”

The issue stemmed from exposed credentials and a server-side authentication flaw, not from any forced intrusion.

Live Demonstration and Global Impact

Azdoufal even conducted a live demonstration to showcase the level of access he had gained. During the demo, devices openly shared real-time operational data.

The scale of exposure was significant   spanning 24 countries and thousands of homes. This raised serious concerns about:

• Privacy risks
  
  

• Smart home security
  
  

• Cloud authentication weaknesses
  
  

• IoT device vulnerability
  
  

The incident highlights how interconnected smart home devices can become large-scale privacy risks if proper security measures are not enforced.

About the DJI Romo

The DJI Romo was first introduced in China last year and is now expanding into international markets.

Retailing at around $2,000, the device is roughly the size of a large terrier or a small fridge when docked at its base station. It features:

• Advanced navigation sensors
  
  

• Obstacle detection technology
  
  

• AI-powered mapping
  
  

• App-based remote control
  
  

Its premium positioning and smart capabilities make the security lapse even more alarming.

Issue Resolved by DJI

After Azdoufal reported the vulnerability to The Verge, DJI was informed of the issue.

According to statements given to Popular Science, the issue has now been “resolved.”

By Wednesday morning, Azdoufal confirmed that his scanner no longer had access to any devices. DJI effectively plugged the security gap, preventing further unauthorized access.

Lessons for the IoT Industry

This incident serves as a powerful reminder of the risks associated with cloud-connected smart devices.

Key takeaways include:

• Proper authentication controls are critical
  
  

• API security must be thoroughly tested
  
  

• IoT devices require continuous vulnerability assessments
  
  

• Ethical disclosure plays a crucial role in cybersecurity
  
  

While no malicious intent was involved in this case, the scale of access demonstrates how fragile IoT ecosystems can be if security is overlooked.

As smart home devices continue to expand globally, companies must prioritize robust cybersecurity frameworks to protect user privacy and prevent large-scale breaches.