DJI Romo Hack Exposes Security Flaws in Robot Vacuum

A security vulnerability in DJI’s Romo robot vacuum allowed a researcher to gain access to over 7,000 devices worldwide, highlighting the potential privacy risks associated with connected home devices. The incident, initially a personal experiment, quickly revealed a significant flaw in DJI’s server authentication process.

How the Takeover Happened

Sammy Azdoufal, an AI strategy director and app developer, was attempting to control his newly purchased DJI Romo with a PlayStation 5 (PS5) controller for convenience and enjoyment. He created a custom remote-control app, utilizing AI assistance to reverse-engineer DJI’s communication protocols . Instead of controlling only his device, the server mistakenly granted him access to nearly 7,000 active DJI Romo units globally .

Extent of the Security Breach

The access wasn’t limited to remote control. Azdoufal could also access the robots’ microphones and speakers, effectively gaining live audio access to thousands of homes . He could determine the approximate location of each robot via its IP address and generate 2D maps of the rooms they were cleaning . Crucially, Azdoufal stated he did not necessitate to bypass any security measures; the server accepted the authentication token from a single Romo as valid for all devices .

DJI’s Response and the Underlying Issue

DJI addressed the major security flaw on February 11, 2026 . The vulnerability stemmed from a permissions validation issue in the backend MQTT (Message Queuing Telemetry Transport) system . The incident underscores the security challenges inherent in IoT devices and the potential for sensitive data collection by smart home appliances.

Implications and Future Concerns

This incident highlights the importance of robust security measures in connected devices. Robot vacuums, equipped with cameras, microphones, and mapping capabilities, collect significant amounts of personal data. A security breach of this nature could have severe consequences if exploited by malicious actors. The case also extends to other DJI products, as even DJI Power portable power stations were reporting diagnostics and status information through the same vulnerable system .

Key Takeaways

• A simple attempt to connect a PS5 controller to a DJI Romo robot vacuum led to a widespread security breach.
• Over 7,000 devices were compromised, granting unauthorized access to cameras, microphones, and location data.
• The vulnerability was caused by a flawed authentication process on DJI’s servers.
• DJI has since patched the security flaw.
• The incident emphasizes the critical need for stronger security protocols in IoT devices.