Shocking error. An enthusiast wanted to control his robot vacuum cleaner with a gamepad, instead he hacked into thousands of models

Robot vacuum cleaners with cameras and internet connectivity can, in some cases, pose a security risk, as owners of DJI Romo have now discovered. An enthusiast, during an innocent attempt to control his vacuum cleaner with a game controller, uncovered a serious vulnerability that opened the door to thousands of devices worldwide.

He just wanted to play, gained access to 7,000 vacuum cleaners

As reported by The Verge, Sammy Azdoufal decided to program an application that would allow him to control his DJI Romo robot vacuum cleaner using a PlayStation 5 console controller. He used the AI tool Claude Code for reverse engineering DJI protocols. However, when his application connected to the manufacturer’s servers, it wasn’t just his own vacuum cleaner that responded – approximately 7,000 devices from around the world logged in.

Azdoufal discovered that he could remotely control other people’s vacuum cleaners, view live footage from their cameras, and listen to audio through the integrated microphone. The devices also provided him with complete floor plans of homes, which they gradually mapped. In just nine minutes, his tool recorded 6,700 robots in 24 countries and collected over 100,000 of their messages. When including DJI Power portable power banks using the same servers, the total number exceeded 10,000 devices.

The Verge had the access verified

The Verge editorial team had the claims verified on their own review unit. All it took was providing the 14-digit serial number of the vacuum cleaner, and Azdoufal was able to correctly identify that the device was cleaning the living room and had 80% battery. Within minutes, he generated an accurate floor plan of the editor’s home, simply by entering digits into a laptop in another country.

According to Azdoufal, he didn’t have to break any security to gain access. He merely extracted a private token from his own vacuum cleaner, and DJI’s servers automatically granted him access to data from thousands of other users. “I didn’t break any rules, I didn’t bypass anything, I didn’t crack anything, nor did I use brute force,” he claims.

DJI claimed to have fixed the problem – it wasn’t true

When The Verge contacted DJI, the company stated that it had already fixed the vulnerability the previous week. The editorial team received this statement half an hour before Azdoufal demonstrated live access to thousands of vacuum cleaners, including their review unit. Only the following day did DJI actually patch the flaw.

The company eventually admitted to a “backend authorization issue” that theoretically allowed unauthorized access to live video. DJI claims that data is encrypted using TLS, but as Azdoufal and security researcher Kevin Finisterre point out, TLS only protects data in transit, not its content within the server. Once an attacker authenticates as a client, they can monitor messages from all devices without restriction.

It’s not an isolated case

Security issues with robot vacuum cleaners are not an exception. In 2024, hackers took control of Ecovacs vacuum cleaners to harass pets and shout racist slurs. This year, South Korean authorities uncovered vulnerabilities in Dreame X50 Ultra, Ecovacs, and Narwal models that allowed camera access. In contrast, vacuum cleaners from Samsung, LG, and Roborock performed well.

The DJI Romo case thus reopens the question of whether robot vacuum cleaners should even have cameras and microphones. “It’s so weird to have a microphone on a damn vacuum cleaner,” Azdoufal remarks. At least one thing pleased him, though – he actually controls his vacuum cleaner with a PlayStation controller in the end.

Do you trust robot vacuum cleaners with cameras?

Source: The Verge