A software engineer’s attempt to control a robot vacuum with a video game controller inadvertently opened a window into the homes of nearly 7,000 people across 24 countries, exposing live camera feeds, microphone audio, floor plans, and device status data. Sammy Azdoufal discovered the vulnerability although developing a custom app for his DJI Romo vacuum, and promptly reported it to the manufacturer.
The DJI Romo, launched in China last year and recently expanding to international markets, retails for approximately $2,000. Like other autonomous vacuums, it relies on a suite of sensors to navigate and map its surroundings. Crucially, some of this sensor data is stored on DJI’s remote servers, requiring the device to authenticate with the cloud to operate effectively. Azdoufal’s goal was to bypass the standard app and control the Romo using a PlayStation 5 controller.
Using an AI coding assistant to reverse-engineer the communication protocols between the vacuum and DJI’s servers, Azdoufal found a critical flaw. Instead of verifying his credentials against a single device, the servers granted him access to a vast network of Romo vacuums, effectively treating him as the owner of each one. This allowed him to view real-time camera feeds, activate microphones, and compile 2D floor plans of the homes where the robots were operating. He was also able to determine the approximate locations of the devices based on their IP addresses.
Azdoufal shared his findings with The Verge, which then contacted DJI. The company confirmed the vulnerability and stated it was addressed through two updates, deployed on February 8 and February 10, 2026. “DJI identified a vulnerability affecting DJI Home through internal review in late January and initiated remediation immediately,” a DJI spokesperson told Popular Science. “The issue was addressed through two updates…no user action is required.” DJI has stated it plans to implement further security enhancements, but has not detailed what those may be.
The incident highlights growing concerns about the security of internet-connected devices, particularly within the home. Recent controversies involving Ring cameras and Google Nest doorbells have underscored the privacy implications of smart home technology. A Ring advertisement for a “search party” feature sparked criticism for its potential surveillance capabilities, while reports of Google accessing Nest footage for a criminal investigation raised questions about data control.
The potential for misuse extends beyond privacy concerns. Lawmakers in the United States have expressed concerns about the security risks posed by Chinese tech manufacturers like DJI, though evidence supporting those claims remains contested. The ease with which Azdoufal discovered the vulnerability also raises questions about the security of AI-powered coding tools, which could potentially lower the barrier to entry for exploiting software flaws.
Market research firm Parks Associates estimated in 2020 that 54 million U.S. Households had at least one smart home device. The trend towards increased adoption of home robots, including more advanced humanoid models from companies like Tesla and Figure, suggests that the stakes will only continue to rise. As these robots become more sophisticated and integrated into our lives, they will require increasing access to sensitive data about our homes and routines, creating a potentially attractive target for malicious actors.
Azdoufal, however, maintains that his actions did not constitute “hacking,” but rather the accidental discovery of a significant security flaw. He successfully achieved his initial goal of controlling his Romo vacuum with a joystick.
