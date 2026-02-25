A software engineer gained control of 7,000 robot vacuums in 24 countries when he built an app to steer the one in his home through a video game controller. He could monitor their live camera feeds and had access to microphone audio, maps, and status data. Sammy Azdoufal owned a DJI robot vacuum and noticed that the credentials he used on his app also allowed him entry to 7,000 other devices, Popular Science reported. This incident exposed a major flaw in robots linked to the internet and the cloud, revealing how they could quickly turn into surveillance tools if hacked into without the knowledge of the owner. Azdoufal used an AI coding assistant to reverse-engineer the manner in which the robot communicated with DJI’s remote cloud servers, and inadvertently ended up getting a peek into other people's homes.

The software engineer shared the issue with The Verge, who then apprised DJI of the security flaw. The company says the problem has been fixed. However, it has exposed the vulnerability of such cloud-linked devices. The robot vacuum is a DJI Romo, an autonomous home vacuum that was launched in China last year. It has a range of sensors, just like other robot vacuums. It can be scheduled and controlled via an app.

What went wrong with DJI robot vacuum?

In Azdoufal's case, to control it with a video game remote control, he needed his app to communicate with DJI’s servers since some sensor data about the layout of the owner's home is stored there. A token would have been generated to prove he owned the vacuum. However, instead of having only one token verified, the servers granted access for a small army of robots. This meant he could access their real-time camera feeds and turn on their microphones.