DJI Romo vacuum hack reveals global security risks
Spanish software engineer Sammy Azdoufal modified his DJI Romo robot vacuum to respond to a PlayStation 5 controller. He used AI tool Claude to reverse-engineer the DJI app's MQTT communication protocol with company servers. A backend authentication flaw let his device token access roughly 7000 vacuums and power stations across more than 20 countries.
Azdoufal viewed live camera streams, microphone audio, 3D floor plans, precise locations, battery levels, cleaning progress, and obstacle reports from strangers' homes. A Verge journalist shared a test vacuum's serial number; Azdoufal pulled its real-time data within minutes, including room scans. In one demo, about 6700 devices reported current rooms, cleaning operations, hurdles faced, and charging spots.
Azdoufal alerted DJI, which patched the main vulnerability by February 24, 2026, blocking cross-device access. The company revoked his token, including for his own unit, and pulled the Romo model from its store two days later. Some issues persist, like PIN overrides for camera views.
The flaw used weak device-agnostic authentication in MQTT messaging. No misuse occurred, but experts warn connected home gadgets with cameras and mics pose privacy threats. Prior incidents include 2024 Ecovacs Deebot hacks in U.S. cities, where intruders remotely drove vacuums and played slurs.
