dji vaacum

The Man Who Accidentally Hacked A Robot Vacuum

A security researcher unintentionally gained control over thousands of connected DJI robot vacuums, exposing microphones, speakers, live camera feeds, home maps, and IP-based location data. What started as a hobby project to control a DJI Romo robot vacuum with a PlayStation 5 DualSense controller escalated into a large-scale cloud authorization failure affecting devices across 24 countries.

The incident highlights systemic weaknesses in IoT backend architecture, access control validation, and cloud-based device orchestration — issues that continue to affect the broader smart home ecosystem.

The Experiment: Controlling A DJI Romo With A PS5 Controller

The incident began as an experimental integration project. Developer Sammy Azdoufal analyzed DJI’s platform with the goal of controlling his DJI Romo robot vacuum using a Sony DualSense wireless controller.

While unconventional, remote manual control is not unprecedented in the robotic vacuum segment. Some models ship with physical controllers that allow users to operate them like RC vehicles. The novelty here was the method — leveraging DJI’s cloud infrastructure rather than local device pairing.

To achieve this, Azdoufal attempted to route commands through DJI’s servers using a custom-built application.

The Escalation: From One Device To Ten Thousand

Instead of gaining access solely to his own device, the researcher discovered that the backend server handling Romo devices returned access to a vastly larger device pool.

Due to what DJI later described as a “backend authorization validation issue,” the cloud service failed to properly enforce account-level access restrictions. As a result:

  • Approximately 10,000 active DJI Romo units became accessible

  • Devices across 24 countries appeared in the system

  • The researcher could view real-time operational data

  • He could access microphones, speakers, and recorded video

  • Home mapping data was visible

  • IP addresses and approximate geographic regions were exposed

This was not a brute-force attack or exploit chain involving malware. It was a privilege escalation caused by insufficient access control checks at the server layer.

What Data Was Exposed?

The scope of access extended far beyond simple vacuum control.

Accessible data included:

  • Real-time cleaning status

  • Room-by-room mapping layouts

  • Dustbin levels

  • Active session telemetry

  • Microphone access

  • Speaker control

  • Recorded video footage

  • Device IP addresses

  • Regional geolocation metadata

Although GPS-level coordinates were not exposed, regional mapping based on IP information allowed approximate geographic identification.

From a cybersecurity standpoint, this constitutes a high-risk privacy breach vector.

Cloud Architecture Failure: What Likely Went Wrong

The issue appears to stem from inadequate backend authorization checks within DJI’s cloud infrastructure. In properly segmented IoT environments:

  • Each device must be cryptographically bound to a specific user account

  • Server endpoints must validate ownership tokens

  • API responses must enforce strict identity scoping

  • Device queries should be filtered server-side

In this case, device enumeration and access control validation were insufficient. Once authenticated at the service layer, the system returned a broader device set rather than isolating requests to the authenticated user’s hardware.

This suggests a failure in:

  • Role-based access control (RBAC)

  • Multi-tenant data isolation

  • API endpoint permission validation

Such vulnerabilities are particularly dangerous in IoT ecosystems where physical environments are monitored and recorded.

Live Demonstration And Media Confirmation

The incident was reported publicly after the researcher demonstrated the access to journalists from The Verge. During the demonstration, real-time data from multiple robot vacuums was shown.

According to statements provided to the press, the researcher tested microphone and data access with a friend’s device but did not exploit the broader exposure for malicious purposes.

DJI’s Response

DJI acknowledged the issue, describing it as a backend authorization validation problem. Company spokesperson Daisy Kong confirmed that unauthorized access could have occurred due to this flaw.

The company reportedly fixed the vulnerability after media inquiry brought attention to the issue. However, it remains unclear:

  • How long the vulnerability existed

  • Whether malicious actors exploited it previously

  • Whether historical logs can confirm unauthorized access

  • If affected users were directly notified

DJI has not disclosed evidence of confirmed misuse, but also has not ruled out the possibility.

Broader Implications For IoT Security

This incident is part of a recurring pattern across the smart home industry. Over the past decade, numerous IoT devices — including:

  • Security cameras

  • Smart speakers

  • Baby monitors

  • Smart locks

  • Connected appliances

— have suffered from improper authentication, exposed APIs, or weak encryption models.

Robot vacuums with cameras and microphones introduce an additional risk layer. Unlike static cameras, these devices actively map entire living spaces, generating high-resolution spatial layouts of private homes.

Compromised access therefore creates exposure not just to audiovisual feeds, but also to:

  • Floor plan intelligence

  • Room usage patterns

  • Occupancy timing

  • Network topology clues

For malicious actors, this data has real-world exploitation potential.

The IoT Security Problem Persists

Despite repeated high-profile vulnerabilities, many manufacturers continue prioritizing rapid feature deployment over hardened backend design.

Key recurring weaknesses include:

  • Insufficient API rate limiting

  • Lack of zero-trust architecture

  • Poor tenant isolation in cloud environments

  • Delayed vulnerability disclosure processes

The DJI case demonstrates that even companies with advanced robotics expertise can suffer from basic access control flaws.

Ethical Conduct Versus Malicious Exploitation

It is important to note that this case involved a researcher who disclosed the issue rather than abusing it. Had the same vulnerability been discovered by malicious actors, consequences could have included:

  • Remote harassment via speaker systems

  • Audio surveillance

  • Behavioral monitoring

  • Mapping intelligence harvesting

  • Coordinated botnet-style device control

The absence of confirmed exploitation does not diminish the severity of the exposure.

The Larger Question: Can Consumers Trust Connected Devices?

Smart home adoption continues to grow globally. Consumers increasingly deploy always-connected devices inside private living spaces without fully understanding backend security models.

The DJI Romo incident underscores a fundamental reality:

Cloud-connected devices are only as secure as their backend authorization architecture.

Even without malware or complex hacking techniques, flawed access control logic can create systemic exposure at scale.

Until IoT manufacturers adopt stronger zero-trust frameworks, enforce stricter API permission scoping, and undergo rigorous third-party penetration testing, similar vulnerabilities are likely to recur.

For consumers, this serves as another reminder that convenience and connectivity come with measurable security trade-offs.


Image(s) used in this article are either AI-generated or sourced from royalty-free platforms like Pixabay or Pexels.

This article may contain affiliate links. If you purchase through these links, we may earn a commission at no extra cost to you. This helps support our independent testing and content creation.

Similar Posts