A significant security vulnerability in DJI’s Romo robot vacuum platform revealed the risks that accompany connected home devices. The flaw came to light when software strategist Sammy Azdoufal attempted to build a custom application that would allow him to drive his own Romo vacuum with a PlayStation controller. Instead of connecting only to his device, his program unexpectedly gained access to thousands of other vacuums worldwide, tells The Verge.
Azdoufal discovered that approximately 7,000 Romo devices across multiple countries responded to his app as if he were their authorized operator. Through this access, he could view live camera feeds, monitor cleaning activity, and generate detailed floor maps of homes. Telemetry data such as battery status, device serial numbers, and cleaning routes were also visible, highlighting how much sensitive information these smart appliances routinely transmit to cloud servers.
The issue stemmed from a weakness in DJI’s cloud infrastructure rather than a problem with encryption. Romo vacuums communicate with DJI’s servers using MQTT, a lightweight messaging protocol widely used in Internet-of-Things devices. However, the company’s backend permission system failed to restrict data access properly. Once Azdoufal authenticated with the token from his own vacuum, the server granted visibility into messages from other devices as well.
Importantly, Azdoufal said he did not bypass security mechanisms or exploit the system intentionally. He simply used legitimate credentials from his own device, which inadvertently acted as a key to a much larger network of vacuums. The discovery underscored how poorly implemented access controls in cloud services can expose private data even when communications are encrypted.
After the vulnerability was reported, DJI acknowledged the issue and deployed two server-side patches in early February 2026 to close the security gap. The company stated that the updates resolved the permission problem and that there was no evidence of widespread malicious use. Nevertheless, the incident has raised broader concerns about privacy and security in the rapidly expanding smart-home ecosystem.