Most people are content to let their robot vacuum quietly clean the floors. Sammy Azdoufal decided to take things a step further by trying to control his with a video game controller. What began as a simple weekend project soon uncovered a worrying smart-home security flaw.
While building a remote-control app for his DJI Romo robot vacuum, a premium model worth about $2,000, Azdoufal used an AI coding assistant to understand how the device communicated with DJI’s cloud servers. To make his controller work, he needed a security token that confirmed he owned the device. Instead, the server mistakenly granted access to nearly 7,000 other Romo vacuums in homes across 24 countries.
That access included live camera feeds, microphone audio, home floor maps, and approximate locations based on IP addresses. Azdoufal did not exploit the discovery and instead reported it to The Verge, which alerted DJI. The company said it had already identified the vulnerability during an internal review and released patches in early February to fix the issue automatically.
The incident highlights growing concerns around smart-home privacy, as devices like robot vacuums, doorbells, and other connected gadgets collect large amounts of data about people’s homes. With AI tools making it easier to analyse and reverse-engineer technology, security experts warn that vulnerabilities like this may become easier to uncover — raising new questions about just how much our smart devices really know about us.
