The DJI Romo robovac had security so poor, this man remotely accessed thousands of them

The DJI Romo robovac had security so poor, this man remotely accessed thousands of them

Title: DJI Romo Vacuum Security Flaw Exposes Thousands of Homes to Remote Access

In a shocking revelation that has sent ripples through the smart home industry, a security researcher has uncovered a critical vulnerability in DJI’s Romo robot vacuum that potentially exposed thousands of households worldwide to unauthorized surveillance and control. What began as a hobbyist’s experiment to control his new vacuum with a PlayStation 5 controller has exposed what experts are calling a “catastrophic” security failure in one of the world’s leading drone manufacturers’ smart home products.

The Discovery That Started It All

Sammy Azdoufal, an AI strategy professional at a vacation rental company, wasn’t looking to expose a global security crisis when he purchased his DJI Romo vacuum cleaner. His goal was simple: he wanted to see if he could control the device using his PS5 gamepad, purely for the novelty and fun of it. However, what he discovered when his custom-built remote control application connected to DJI’s servers was far more alarming than he could have imagined.

Instead of communicating with just his single device, Azdoufal’s application began receiving responses from approximately 7,000 DJI Romo vacuums scattered across 24 different countries. The scale of this unintended access was staggering – within minutes, his laptop had cataloged over 6,700 devices and collected more than 100,000 data packets, each containing sensitive information about the robots’ locations, activities, and even detailed floor plans of private residences.

Unprecedented Access to Private Spaces

The level of access Azdoufal achieved was nothing short of extraordinary. With nothing more than a 14-digit serial number, he could remotely control any DJI Romo vacuum, view its live camera feed, listen through its microphone, and even watch as the device generated detailed 2D floor plans of homes in real-time. The vacuum’s mapping capabilities, designed to help the robot navigate efficiently, became a tool for creating comprehensive blueprints of people’s living spaces.

Azdoufal demonstrated this capability by using a colleague’s DJI Romo serial number, instantly accessing information about the robot’s current location, battery level, and cleaning status. Within minutes, he was watching the device create an accurate map of his colleague’s home, complete with room dimensions and layouts. He could even wave to the robot’s camera from his own living room while his colleague watched remotely, all without needing the device’s security PIN.

The Technical Breakdown: How It Happened

What makes this vulnerability particularly concerning is how Azdoufal achieved this access. He claims he didn’t hack into DJI’s servers, bypass security measures, or engage in any form of unauthorized system penetration. Instead, he simply extracted his own DJI Romo’s private token – the digital key that authenticates a user’s right to access their own device data – and discovered that DJI’s servers were granting him access to thousands of other devices using the same authentication mechanism.

The vulnerability existed in DJI’s MQTT (Message Queuing Telemetry Transport) communication system, which the company uses to relay data between devices and servers. Azdoufal found that once authenticated, there were no proper topic-level access controls in place, allowing him to subscribe to wildcard topics and receive all messages from all devices in plaintext at the application layer. This meant that even though the data was encrypted during transmission using TLS, it was completely readable once it reached DJI’s servers.

DJI’s Response: Too Little, Too Late?

When Azdoufal and The Verge initially contacted DJI about the vulnerability, the company claimed it had already resolved the issue. However, this statement proved to be premature and misleading. The initial patch, deployed on February 8th, only addressed part of the problem and had not been applied universally across all service nodes. It wasn’t until February 10th, after The Verge confirmed that issues were still present, that DJI completed the full remediation.

The company’s delayed and incomplete response has raised serious questions about its security practices and transparency. DJI’s statement to The Verge admitted to a “backend permission validation issue” but attempted to downplay the severity by claiming that actual occurrences of unauthorized access were “extremely rare” and that most identified activity was linked to security researchers testing their own devices.

Broader Implications for Smart Home Security

This incident is not isolated to DJI. The smart home industry has a troubling history of security failures, with similar vulnerabilities discovered in products from major manufacturers. In 2024, hackers took over Ecovacs robot vacuums to chase pets and broadcast racist slurs. In 2025, South Korean government agencies reported flaws in Dreame’s X50 Ultra that could allow real-time camera feed viewing, along with similar issues in other Ecovacs and Narwal models.

The DJI Romo case highlights several critical issues in smart home security:

  1. Inadequate Authentication Systems: The fact that a single authentication token could grant access to thousands of devices suggests fundamental flaws in how these systems verify user identity and permissions.

  2. Lack of Proper Access Controls: The absence of topic-level access controls in DJI’s MQTT system allowed unauthorized access to all device data once initial authentication was achieved.

  3. Insufficient Security Testing: The scale of this vulnerability suggests that DJI’s security testing procedures failed to identify what should have been an obvious security flaw.

  4. Transparency Issues: DJI’s initial claim that the issue was resolved, followed by the discovery that it was only partially fixed, raises concerns about the company’s commitment to transparency and user safety.

Expert Analysis and Industry Reaction

Security researchers who have examined the DJI Romo vulnerability are calling it one of the most significant smart home security failures in recent years. Kevin Finisterre, a prominent security researcher, notes that the fact that DJI’s servers are based in the US does nothing to prevent Chinese DJI employees from accessing the data, especially given that Azdoufal was able to access devices in entirely different regions from his location in Barcelona.

The incident has also reignited debates about the security risks associated with Chinese technology companies operating in Western markets. DJI has faced increasing scrutiny and restrictions in the United States, with the company largely forced out of the US market due to national security concerns. This latest security failure will likely be used to justify these fears and potentially accelerate the company’s exit from Western markets.

The Human Element: Privacy Violations on a Massive Scale

Beyond the technical aspects, this vulnerability represents a massive violation of privacy for potentially thousands of households. The ability to view live camera feeds, listen through microphones, and generate detailed floor plans of private residences could be exploited for various malicious purposes, from simple voyeurism to more sophisticated criminal activities like burglary planning.

The presence of microphones in robot vacuums has already been questioned by security experts, with Azdoufal himself noting, “It’s so weird to have a microphone on a freaking vacuum.” This incident underscores the importance of carefully considering what sensors and capabilities are truly necessary in smart home devices and implementing robust security measures to protect the data they collect.

What Consumers Should Do

For consumers who own DJI Romo vacuums or other DJI smart home products, this incident serves as a wake-up call about the potential risks associated with connected devices. While DJI has now implemented fixes for the most critical vulnerabilities, consumers should:

  1. Update Firmware Immediately: Ensure all DJI devices are running the latest firmware versions to benefit from security patches.

  2. Review Privacy Settings: Check and adjust privacy settings on all smart home devices to minimize data collection and sharing.

  3. Consider Device Necessity: Evaluate whether the convenience of smart home devices outweighs the potential privacy and security risks.

  4. Monitor for Unusual Activity: Be vigilant for any signs of unauthorized access or unusual device behavior.

The Future of Smart Home Security

This incident highlights the urgent need for the smart home industry to prioritize security and privacy. As more devices become connected and collect increasingly sensitive data about our daily lives, manufacturers must implement robust security measures from the ground up, rather than treating security as an afterthought.

Industry experts are calling for:

  • Mandatory Security Standards: Government regulation requiring minimum security standards for all connected devices.
  • Regular Security Audits: Independent security audits of smart home devices and their associated cloud services.
  • Improved Transparency: Clear communication from manufacturers about data collection, storage, and security practices.
  • User Control: Greater user control over data collection, sharing, and device functionality.

Conclusion: A Wake-Up Call for the Industry

The DJI Romo security vulnerability represents a significant failure in smart home security that could have had devastating consequences if exploited by malicious actors. While the immediate crisis has been addressed, the incident serves as a stark reminder of the potential risks associated with connected devices and the importance of robust security measures.

As the smart home industry continues to grow and evolve, manufacturers, regulators, and consumers must work together to ensure that convenience doesn’t come at the cost of privacy and security. The DJI Romo case should be a turning point, prompting the industry to prioritize security and implement the changes necessary to protect consumers in an increasingly connected world.

Tags and Viral Phrases:

  • “Catastrophic security failure”
  • “Thousands of homes exposed”
  • “Remote access vulnerability”
  • “Smart home privacy nightmare”
  • “DJI security scandal”
  • “Robot vacuum hacking”
  • “Live camera feed access”
  • “Floor plan generation”
  • “MQTT security flaw”
  • “Cloud server vulnerability”
  • “Unauthorized surveillance”
  • “Smart home industry failure”
  • “Chinese tech security concerns”
  • “Privacy violation on massive scale”
  • “Security researcher exposes flaw”
  • “Gamepad control vulnerability”
  • “Real-time home mapping”
  • “Microphone in vacuum controversy”
  • “Data encryption failure”
  • “Smart home wake-up call”
  • “Consumer privacy at risk”
  • “Security standards needed”
  • “Industry transparency demanded”
  • “Connected device risks”
  • “Smart home security crisis”
  • “DJI responds to scandal”
  • “Patch too little too late”
  • “Security experts alarmed”
  • “Smart home future uncertain”
  • “Consumer protection needed”
  • “Technology trust broken”
  • “Security audit demanded”
  • “Smart home regulation needed”
  • “Privacy first approach”
  • “Security by design”
  • “Connected device safety”
  • “Smart home trust issues”
  • “Security vulnerability exposed”
  • “Smart home industry shaken”
  • “Consumer data at risk”
  • “Security failure consequences”
  • “Smart home security revolution”
  • “Privacy protection needed”
  • “Security standards revolution”
  • “Smart home trust restored”
  • “Security first approach”
  • “Consumer safety priority”
  • “Smart home security future”

,

/0 Comments/by
0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *