On or about February 10, 2026, software engineer Sammy Azdoufal publicly disclosed that while building a personal project to control his DJI Romo robot vacuum with a PS5 gamepad, he inadvertently gained operational control of approximately 7,000 DJI Romo vacuum robots deployed in private homes across 24 countries. The access included live camera feeds, microphone audio, 2D floor plan data, cleaning schedules, device status, and approximate geolocation via IP address.
The vulnerability was not the result of hacking, brute-force attack, or credential theft. A backend permission validation failure in DJI’s cloud infrastructure treated a single device’s authentication token as a master key, granting universal owner-level access to the entire fleet. Azdoufal used Anthropic’s Claude Code AI assistant to reverse-engineer the Romo’s communication protocol, but the security flaw was entirely server-side.
DJI has since stated the issue was patched via two updates on February 8 and 10, though the researcher demonstrated continued access to thousands of devices after DJI’s initial claim of remediation. Additional unresolved vulnerabilities reportedly remain, including the ability to stream video feeds without a security PIN and at least one undisclosed flaw withheld due to severity. All user data was reportedly stored in plain text on DJI’s servers.
Read the full story at The Verge.
Why Is This Incident Significant?
This incident is notable not only for the severity of the vulnerability but for how it was found. Azdoufal is not a security researcher. He is a tech strategist at a vacation rental company who used an AI coding assistant to reverse-engineer a commercial protocol as a weekend hobby project.
This dramatically illustrates a shift that cybersecurity experts have been warning about: AI coding tools are lowering the barrier for advanced security probing. The population of individuals capable of testing IoT protocols has expanded far beyond professional penetration testers and academic researchers. A motivated hobbyist with a consumer AI tool can now perform the kind of protocol analysis that previously required specialized expertise.
What Should You Do Next?
-
Audit smart home devices in principal residences and executive homes. Identify any DJI products (vacuums, drones) and Chinese-manufactured robot vacuums (Ecovacs, Dreame, Narwal, Roborock). Assess whether devices have cameras, microphones, or persistent cloud connectivity.
-
Network-isolate IoT devices. Place all robot vacuums and smart home devices on a segregated VLAN with no access to the primary home or office network. Block outbound internet access for devices where cloud connectivity is not essential to core function.
-
Disable cameras and microphones on robot vacuums where possible. Many devices offer partial functionality without camera access. Accept the trade-off in obstacle avoidance performance for the elimination of surveillance risk.
-
For properties hosting sensitive meetings or discussions, power down or physically remove connected robots from areas where confidential conversations occur.
Key Takeaways
- A single hobbyist accidentally accessed 7,000 robot vacuums worldwide — including cameras, microphones, and floor plans — due to a server-side permission failure
- AI coding tools are dramatically lowering the barrier for anyone to probe IoT device security, expanding the threat surface beyond professional researchers
- DJI’s cloud stored user data in plain text and initial patches failed to fully remediate the vulnerability
- Network isolation of IoT devices is no longer optional — smart home devices should be on segregated VLANs away from sensitive systems
- Physical removal of connected devices from sensitive areas is the most reliable protection during confidential discussions