A Weekend Project Gone Viral: How One Man Accidentally Took Control of 7000 DJI Robot Vacuums

February 23, 2026 | Technology & Cybersecurity

Sammy Azdoufal had a simple weekend goal: connect a PlayStation 5 controller to his brand-new DJI Romo robot vacuum, just because he thought it would be fun.

What happened next became one of the most striking smart-home security stories of 2026 — and a cautionary tale for the entire IoT industry.

From Hobby Project to Global Privacy Incident

Azdoufal, who leads AI strategy at a vacation rental company, purchased the DJI Romo — DJI’s first consumer robot vacuum, retailing at around $2,000 — shortly after its European launch. To get his PS5 gamepad working with the device, he needed to understand how the Romo communicated with DJI’s cloud servers. He turned to Claude Code, Anthropic’s AI-powered coding assistant, to reverse-engineer the communication protocol used by the DJI mobile app.

The plan was modest. The outcome was not.

When his custom application connected to DJI’s backend, it didn’t just see his vacuum. It received responses from approximately 7,000 DJI Romo devices across 24 countries. In under nine minutes, his laptop had catalogued those devices and collected over 100,000 device messages — all using nothing more than his own device’s authentication token.

“I found my device was just one in an ocean of devices,” Azdoufal told The Verge, which first reported the story on February 14th. “I didn’t infringe any rules. I didn’t bypass, crack, or brute-force anything.”

What the Vulnerability Exposed

The access Azdoufal stumbled onto was not passive. Using only a 14-digit serial number provided by The Verge journalist Thomas Ricker, he was able to:

View live camera feeds from inside strangers’ homes
Listen through onboard microphones in real time
Generate accurate 2D floor plans of homes as the vacuums cleaned
Track cleaning routes and obstacle data — revealing when residents were home and how they moved through their spaces
Remotely drive vacuums in other people’s houses
Geolocate devices using their IP addresses

In a live demonstration witnessed by a Verge reporter, Azdoufal pinpointed Ricker’s robot mid-clean, confirmed its battery was at 80%, and produced an accurate floor plan of his colleague’s home — all from Barcelona.

The Technical Failure

The root cause was straightforward but damaging. DJI’s MQTT message broker — a standard protocol used in IoT devices to route messages between devices and servers — had no topic-level access controls (ACLs). MQTT works by letting devices publish messages to “topics” and allowing subscribers to receive those messages. Proper security requires the broker to enforce strict rules about which clients can subscribe to which topics.

DJI’s broker had no such controls. When Azdoufal authenticated with his own device token, he subscribed to a wildcard topic (#) and the broker handed him the real-time data of every DJI Romo on the planet.

As Azdoufal explained: once you are an authenticated client on the MQTT broker, the absence of proper access controls means you can see all messages from all devices at the application layer. TLS encryption — which DJI correctly maintained was always in place — only protects data in transit. It does nothing to prevent an authenticated user from seeing other people’s data once connected.

Even DJI’s pre-production servers in the US, China, and EU were accessible during his testing, though he said his tool wiped collected data every time it closed.

DJI’s Response: Fast Fix, Rocky Rollout

DJI’s handling of the disclosure drew as much attention as the vulnerability itself. When The Verge and Azdoufal first contacted the company, spokesperson Daisy Kong issued a statement declaring that the vulnerability had already been resolved. That statement arrived approximately 30 minutes before Azdoufal demonstrated live access to thousands of vacuums — including the journalist’s own review unit — still actively reporting in.

DJI later issued a fuller statement acknowledging the backend permission verification flaw and confirming two patches:

“DJI discovered a vulnerability affecting DJI Home in late January through an internal review and immediately began remediation. The issue was resolved with two updates; the first patch was deployed on February 8th, and the subsequent update was completed on February 10th. The fix was automatically deployed without any user intervention.”

The company maintained that TLS encryption was never compromised and that communication between devices and servers was always encrypted. It also stated that the actual probability of unauthorized access by malicious actors was extremely low, noting that nearly all identified related behaviors were tests by Azdoufal himself for reporting purposes.

Vulnerabilities Still Unresolved

Despite the patches, the story did not end on February 10th. Azdoufal told The Verge that at least two additional vulnerabilities remain beyond those addressed by DJI’s fixes.

One has been disclosed publicly: a PIN bypass that allows a user to view their own Romo camera stream without entering the required security code. The second vulnerability was deemed serious enough by The Verge that the outlet agreed not to describe it publicly while DJI works on a fix. DJI said it expects to resolve the remaining issue within weeks — a timeline critics note is uncomfortably long for a camera-equipped device that autonomously maps the interior of people’s homes.

Broader Implications

The incident arrives against a backdrop of growing scrutiny over smart-home privacy and IoT security. DJI, already banned from selling new products in the US market over national security concerns related to its drone business and Chinese government ties, faces heightened pressure to demonstrate that its consumer devices can be trusted with sensitive household data.

Security researcher Kevin Finisterre, who has tracked DJI’s security practices for nearly a decade, noted that a strikingly similar category of failure — broken server-side access controls — occurred in a DJI breach back in 2017. That incident exposed customer data through credentials left in public code. Nearly nine years later, home cameras were exposed because the MQTT broker had no ACLs. Encryption was intact both times. The permission model was broken both times.

The Romo breach also raised pointed questions about the device’s design. The vacuum includes both a camera and a microphone. Azdoufal, reflecting on full access to audio feeds from inside people’s homes, put it plainly: “It’s so weird to have a microphone on a freaking vacuum.”

For users with DJI Romo devices, the February patches were deployed automatically and require no manual action. DJI has stated there is no evidence of malicious exploitation of the vulnerability prior to its remediation.

The broader lesson, however, belongs to the entire smart-home industry: encryption protects the pipe. It does not protect what’s inside the pipe from a broken permission model. As more homes fill with cameras, microphones, and AI-powered robots, that distinction matters more than ever.

Sources: The Verge (Feb. 14 & 17, 2026), Popular Science, Malwarebytes, TechRadar, Android Headlines, Inc., DJI official statement.

A Weekend Project Gone Viral: How One Man Accidentally Took Control of 7000 DJI Robot Vacuums. What happened became one of the most striking smart-home security stories of 2026 — and a cautionary tale for the entire IoT industry.

Windows Software Alternatives in Linux

Windows-Friendly Linux

Disclaimer of pbxscience.com

Tags: Cybersecurity Hacker Networking

A Weekend Project Gone Viral: How One Man Accidentally Took Control of 7000 DJI Robot Vacuums