DJI Romo Robot Vacuum Security Flaw Exposed, Affecting Thousands of Devices

A security vulnerability in the DJI Romo robot vacuum allowed a software engineer to remotely access and control approximately 7,000 devices worldwide, raising concerns about the security of connected home devices. The issue, discovered in February 2026, stemmed from a backend permission validation problem affecting communication between the robot vacuum and DJI’s servers.

Accidental Discovery

Sammy Azdoufal, head of AI at a vacation property management company, stumbled upon the security flaw while attempting to control his newly purchased DJI Romo vacuum with a PlayStation 5 controller. Using the AI coding assistant Claude Code, he reverse-engineered the communication between the Romo and DJI’s servers to obtain a security token. The Verge reports that this token unexpectedly granted access to a vast network of other Romo devices.

Extent of the Access

Azdoufal found he could access a wealth of data from the compromised devices, including:

• Cleaning routes
• Battery status
• Obstacles encountered during cleaning
• 2D floor plans generated by the robot’s sensors
• Live camera and microphone feeds
• IP addresses, potentially revealing approximate device locations

He emphasized that his intention was not malicious, stating, “I didn’t break any rules, didn’t cheat system, does not hack, or does not force entry against the DJI system.” The Guardian

DJI’s Response

Upon being notified of the vulnerability by Azdoufal and The Verge, DJI acknowledged a “backend permission validation issue affecting MQTT-based communication between the device and the server.” The company stated the issue could potentially allow unauthorized access to live video feeds from the devices. TechRadar reports that DJI is actively working to patch the security vulnerabilities.

Implications and Concerns

This incident highlights the growing security risks associated with the proliferation of Internet of Things (IoT) devices in homes. The ease with which Azdoufal gained access to thousands of devices underscores the importance of robust security measures in the design and implementation of these products. The potential for unauthorized access to camera and microphone feeds raises significant privacy concerns for users.

Key Takeaways

• A security flaw in the DJI Romo robot vacuum allowed access to approximately 7,000 devices.
• The vulnerability was discovered accidentally by a software engineer attempting to connect a PS5 controller.
• Compromised data included live video feeds, floor plans, and device locations.
• DJI has acknowledged the issue and is working on a fix.
• This incident emphasizes the need for stronger security in IoT devices.