Software engineer Sammy Azdoufal didn’t set out to expose a global smart-home vulnerability. He just wanted to make his robot vacuum more fun.
Azdoufal connected his DJI Romo vacuum cleaner to a PlayStation 5 controller, using an AI coding assistant, Claude Code, to reverse-engineer how the device communicated with DJI’s cloud servers. “It sounded fun,” he told the New York tech publication The Verge.
What happened next was anything but playful.
After probing the system, Azdoufal discovered he could not only control his own device but access data from nearly 7,000 robot vacuums across 24 countries. The exposed information reportedly included live camera feeds, microphone audio and detailed floor maps.
To demonstrate the flaw, a reporter at The Verge provided Azdoufal with the serial number of a DJI Romo unit under review. Within minutes, Azdoufal could see the vacuum cleaning the reporter’s living room, check that it had 80% battery life and generate a floor plan of the home.
The vulnerability pointed to a backend security bug affecting devices made by DJI — formally Shenzhen Da-Jiang Innovations Sciences and Technologies Ltd. DJI initially told The Verge the problem “was resolved,” though Azdoufal said not all the vulnerabilities he identified had been fixed. Following publication, DJI told Popular Science the issue had been “resolved.”
Why This Matters?
The incident underscores growing concerns about the security of internet-connected home devices. Robot vacuums equipped with cameras and microphones function not just as cleaning tools, but as mobile data-gathering systems inside private homes.
While Azdoufal disclosed the flaw responsibly, the episode highlights the risk that more malicious actors could exploit similar vulnerabilities for surveillance or data theft. As smart home adoption accelerates, cybersecurity experts warn that convenience often outpaces robust security controls.
In short, a weekend experiment exposed how easily everyday household robots could become tools of unintended surveillance, raising urgent questions about cloud security, device authentication and consumer privacy in the age of connected homes.
Sources: