DJI Romo Robot Vacuum Security Flaw Exposes Thousands of Homes

A security vulnerability in the DJI Romo robot vacuum cleaner allowed a software engineer to inadvertently gain access to live camera feeds, floor plans, and location data from over 7,000 devices worldwide. The incident highlights growing concerns about the security of internet-connected devices and the potential for privacy breaches.

Accidental Access, Widespread Exposure

Sammy Azdoufal, a software engineer and head of AI strategy at a vacation rental firm, discovered the flaw while attempting to control his newly purchased DJI Romo with a PlayStation 5 controller. Using AI-assisted reverse-engineering with Claude Code, Azdoufal created an application to bypass the standard smartphone interface as reported by Prism News. Instead of limiting control to his own device, the application granted him access to a vast network of Romo vacuums.

Azdoufal was able to view live video feeds from the robots’ cameras, access detailed floor plans of users’ homes, and even pinpoint the approximate location of devices using their IP addresses according to PetaPixel. He demonstrated the extent of the access to The Verge, successfully locating and accessing data from a Romo owned by one of their reviewers, Thomas Ricker.

No Malicious Intent, But Significant Risk

Azdoufal maintains that he did not intentionally seek to compromise the privacy of Romo owners. He stated he accessed the data simply by using the private token from his own device, which inexplicably granted him widespread access to DJI’s servers, including pre-production systems as detailed by Tom’s Hardware. Despite the potential for misuse, Azdoufal contacted DJI to report the vulnerability.

DJI’s Response and Lingering Concerns

DJI initially claimed to have resolved the security issues through software updates. However, Azdoufal reported to The Verge that the vulnerability persisted even after the updates were implemented. PetaPixel reports that the company stated it had fixed the security vulnerabilities.

A Wider Pattern of IoT Security Flaws

This incident is not isolated. Security experts, such as Alan Woodward, professor of computer science at the University of Surrey, have noted a broader trend of inadequate security measures in Internet of Things (IoT) devices. Woodward suggests that manufacturers often prioritize functionality over security, leaving devices vulnerable to exploitation as reported by The Guardian. Other devices, including lighting systems, locks, security cameras, baby monitors, and heating systems, have also been compromised in similar ways.

Preventing Future Vulnerabilities

Woodward recommends that manufacturers require users to set unique passwords upon initial device setup to mitigate the risk of unauthorized access. This simple step can significantly enhance the security of IoT devices and protect user privacy.

Key Takeaways

• A security flaw in the DJI Romo robot vacuum allowed a user to access data from over 7,000 devices.
• The vulnerability was discovered accidentally while attempting to control the vacuum with a PlayStation 5 controller.
• The incident highlights the importance of robust security measures in IoT devices.
• Experts recommend requiring users to set unique passwords during device setup.