A software engineer has uncovered a serious security vulnerability in DJI robot vacuum cleaners after attempting to control his device with a PlayStation 5 controller. Sammy Azdoufal, head of AI strategy at a holiday rental company, inadvertently exposed a backend security flaw that granted him access to data from nearly 7,000 robot vacuum cleaners across 24 countries, according to reports published by the Verge.
The discovery occurred when Azdoufal used an AI coding assistant called Claude Code to reverse-engineer how his DJI Romo vacuum cleaner communicated with the company’s remote cloud servers. While working on this project, he found that he had gained unauthorized access to live camera feeds, microphone audio, and floor maps from thousands of other devices.
Robot Vacuum Security Breach Exposes Thousands of Devices
To verify the extent of the vulnerability, Azdoufal demonstrated his findings to the Verge. A reporter provided the serial number of a DJI Romo vacuum cleaner they were testing for review. Within minutes, Azdoufal could observe the device cleaning the reporter’s living room, check its 80% battery life, and generate a complete floor plan of the residence.
The incident highlights growing concerns about smart home devices and their potential vulnerabilities to hacking. Connected household appliances with cameras and microphones can potentially become surveillance tools if security measures are inadequate or compromised.
Company Response to Security Flaw
DJI, the Chinese technology company Shenzhen Da-Jiang Innovations Sciences and Technologies Ltd, initially told the Verge that the security problem had been resolved. However, according to Azdoufal, the company had not addressed all the vulnerabilities he discovered during his initial investigation.
Following publication of the Verge’s report, DJI contacted Popular Science to reiterate that the issue had been “resolved.” The company has not provided detailed information about the specific measures taken to secure the robot vacuum cleaners or prevent similar breaches in the future.
Smart Home Device Vulnerabilities Raise Privacy Concerns
This discovery underscores the potential risks associated with internet-connected home appliances. Robot vacuum cleaners equipped with cameras and mapping technology collect detailed information about home layouts and daily routines. When these devices communicate with cloud servers, any security weakness can potentially expose sensitive data to unauthorized parties.
Additionally, the incident demonstrates how relatively accessible AI tools and coding assistants can enable individuals to uncover security flaws in consumer technology. While Azdoufal’s intentions were benign, the same vulnerabilities could potentially be exploited by malicious actors seeking to conduct surveillance or gather private information.
Meanwhile, security experts have long warned about the expanding attack surface created by smart home ecosystems. Each connected device represents a potential entry point for hackers, particularly when manufacturers prioritize convenience and features over robust security protocols.
Implications for Connected Device Security
The robot vacuum security breach raises questions about how thoroughly manufacturers test their products for vulnerabilities before release. It also highlights the importance of regular security updates and transparent communication with customers when flaws are discovered.
In contrast to traditional appliances, smart home devices continuously transmit data to manufacturer servers, creating ongoing privacy considerations. Consumers often remain unaware of exactly what information their devices collect or who might have access to that data.
The extent to which other manufacturers’ robot vacuum cleaners or smart home devices may contain similar vulnerabilities remains unclear. Industry-wide security standards for connected home appliances continue to evolve as these products become increasingly common in households worldwide.
DJI has not announced whether it will conduct additional security audits of its robot vacuum product line or provide customers with more detailed information about the resolution of these vulnerabilities. The company has also not confirmed whether any unauthorized access to customer devices occurred before the flaw was addressed.
