Man Accidentally Gains Control of 7,000 Robot Vacuums — Here's Exactly What Happened
A software engineer tried to drive his DJI robot vacuum with a PS5 controller. He ended up with live camera access to thousands of strangers' homes in 24 countries.
Updated March 6, 2026 | 6 min read
The Short Version
Who: Sammy Azdoufal, a software engineer based in Spain.
What: While building a custom app to control his DJI Romo robot vacuum with a PlayStation 5 controller, he accidentally discovered an authentication flaw that gave him access to nearly 7,000 other DJI Romo vacuums worldwide.
What he could see: Live camera feeds, microphone audio, 2D floor plans of homes, battery status, and approximate GPS locations — all from strangers' houses.
What he did: He did not exploit it. He reported the flaw to The Verge, which contacted DJI. DJI patched the issue automatically on February 8–10, 2026.
Is it fixed? Yes. DJI has issued automatic patches. No user action is required.
How It Happened, Step by Step
Azdoufal's original goal was simple and harmless: he wanted to steer his new DJI Romo robot vacuum around his apartment using a PS5 game controller — just for fun. To do that, he needed his custom app to communicate with DJI's cloud servers. He used the AI coding assistant Claude to help reverse-engineer the communication protocol between the Romo and DJI's backend.
How one set of cloud credentials accidentally unlocked access to nearly 7,000 robot vacuums in 24 countries.
1
The Experiment
Azdoufal uses Claude (an AI assistant) to reverse-engineer how his DJI Romo communicates with DJI's cloud servers. He extracts an authentication token that proves he is the device owner.
2
The Flaw Discovered
Instead of validating a single device token, DJI's server treated his credentials as authorization for all devices on the platform. His single token returned data from 6,700–7,000 other Romo vacuums.
3
What He Could Access
Live camera feeds from inside strangers' homes, microphone audio, 2D floor plan maps the vacuum had built, battery and status data, and IP address-based location data for each device.
4
Responsible Disclosure
Azdoufal chose not to exploit the access. He shared his findings with The Verge on approximately February 21, 2026. The Verge contacted DJI, which confirmed the issue and patched it automatically by February 10.
5
Story Goes Viral
The story spread from The Verge and Popular Science to CNN, Mashable, and Wired. A Late Show with Stephen Colbert segment reached 580,000+ views. Google searches for "accidentally" spiked to a peak index of 100 on March 6, 2026.
What Data Was Actually Exposed
The scope of the accidental exposure was significant because robot vacuums are among the most data-rich devices in a modern home. Unlike a smart bulb or a thermostat, a robot vacuum physically roams every room and builds a detailed map of your living space.
Data Type
What It Reveals
Risk Level
Live camera feed
Real-time video of the interior of your home
High
Microphone audio
Real-time audio from inside your home
High
2D floor plan map
Exact layout of your home, including room positions
High
IP address / location
Approximate geographic location of the device
Medium–High
Battery & status data
Whether the device is active, charging, or idle
Low
DJI confirmed to Popular Science that the vulnerability was identified internally in late January 2026 and patched in two automatic updates on February 8 and 10. The DJI Romo has since been removed from the DJI online store.
Is Your Robot Vacuum Safe? What You Should Know
What a camera-equipped robot vacuum can collect, and the four practical steps to reduce your exposure.
If you own a DJI Romo: The specific authentication flaw has been patched automatically. You do not need to take any action to fix this particular vulnerability. However, the DJI Romo has been pulled from the DJI store, and DJI has not confirmed future availability.
This incident is not isolated to DJI. In 2024, Ecovacs Deebot X2 robot vacuums in the United States were hacked and used to broadcast audio at their owners. Smart baby monitors, Ring doorbells, and Nest cameras have all experienced similar breaches in recent years. The common thread is that any internet-connected device with a camera or microphone is a potential surveillance target if its cloud security is inadequate.
5 Practical Steps to Protect Your Smart Home Devices
✓
Keep firmware updated automatically. Most security patches are delivered via firmware updates. Enable auto-update in your device's app so you receive fixes as soon as they are released — as was the case with the DJI Romo patch.
✓
Use a separate IoT network. Place smart home devices on a dedicated guest Wi-Fi network, isolated from your computers and phones. If a device is compromised, it cannot reach your other data.
✓
Cover the camera when not in use. A piece of black tape over the lens is the simplest and most reliable protection against unauthorized camera access. Mashable's robot vacuum tester recommends this as a baseline precaution.
✓
Disable remote viewing when you don't need it. Many robot vacuums offer a live camera feature for checking on pets. Turn this off in the app when you are home and do not need it — it reduces the attack surface.
✓
Check the manufacturer's security track record. Before buying a camera-equipped robot vacuum, search for past security incidents involving that brand. Brands with a history of rapid, transparent patching (like Roborock and iRobot) are generally safer choices.
Watch: CNN Reports on the DJI Vacuum Hack
CNN's Clare Duffy spoke directly with Sammy Azdoufal about how he accidentally discovered the flaw and what he found inside thousands of strangers' homes.
The Bigger Picture: Why This Matters for Smart Homes
The DJI Romo incident is a vivid illustration of a systemic problem in the IoT (Internet of Things) industry: devices that operate inside the most private spaces in our lives are often secured with less rigor than a basic web application. The authentication flaw that Azdoufal stumbled upon — where a single credential provided access to thousands of devices — is a textbook example of a broken access control vulnerability, ranked as the number-one web application security risk by OWASP.
What makes this case unusual is the role of AI. Azdoufal used Claude, an AI coding assistant, to help reverse-engineer the communication protocol. This is a double-edged development: AI tools lower the technical barrier for legitimate researchers and hobbyists, but they also lower the barrier for malicious actors. A vulnerability that previously required deep expertise to find can now be discovered by someone with moderate coding skills and an AI assistant.
As of 2020, an estimated 54 million U.S. households had at least one smart home device. That number has grown substantially since. The next generation of home robots — including humanoid models from Tesla and Figure — will require even more intimate access to the layout and routines of a home. The security practices established now will determine how safely that future unfolds.
The good news in this story is that Azdoufal acted responsibly. He did not use the access he stumbled into. He disclosed it. DJI patched it quickly. But the question the incident leaves open is: how many similar flaws exist in other brands' devices, undiscovered by someone with equally good intentions?
Frequently Asked Questions
Was the man who accidentally gained control of 7,000 robot vacuums a hacker?
No. Sammy Azdoufal is a software engineer who was running a personal experiment — connecting his own DJI Romo to a PS5 controller. He did not intend to access anyone else's device. He discovered the flaw accidentally and reported it responsibly. He has explicitly stated that what he did does not constitute hacking, as he simply stumbled upon a misconfigured server.
Which robot vacuum brands are affected by this security flaw?
The specific authentication flaw described in this story affected only the DJI Romo robot vacuum. DJI has patched it automatically. However, cybersecurity researchers note that similar broken access control vulnerabilities have been found in other smart home devices, including Ecovacs robot vacuums in 2024. No other brands have been confirmed to have this specific flaw at this time.
How did he accidentally access 7,000 robot vacuums using a PS5 controller?
Azdoufal used an AI coding tool (Claude) to reverse-engineer how his DJI Romo communicates with DJI's cloud servers. When he extracted his authentication token, DJI's server incorrectly treated it as authorization for all devices on the platform — not just his own. This allowed him to receive live data from approximately 7,000 other Romo vacuums. The PS5 controller was simply his intended input device; the security flaw was entirely on DJI's cloud server side.
Is my robot vacuum spying on me?
Under normal circumstances, your robot vacuum's camera and microphone data is only accessible to you through the manufacturer's app. However, this incident demonstrates that cloud-side security flaws can expose that data without your knowledge. The risk is not that your vacuum is actively spying on you by design, but that a security flaw could allow an unauthorized party to access its camera or audio feed. Keeping firmware updated and disabling remote viewing when not needed are the most effective precautions.
Did DJI fix the robot vacuum security flaw?
Yes. DJI confirmed to Popular Science that the vulnerability was identified and patched in two automatic updates deployed on February 8 and February 10, 2026. No action is required from DJI Romo owners. The DJI Romo has also been removed from the DJI online store, though DJI has not commented on whether this is related to the security incident.
What data could someone access through a hacked robot vacuum?
In the DJI Romo case, the accessible data included live camera video from inside homes, real-time microphone audio, 2D floor plan maps of the homes the vacuum had mapped, battery and operational status, and approximate geographic location derived from IP addresses. This combination of data is particularly sensitive because it provides a detailed picture of a home's layout and the people inside it.
Should I stop using robot vacuums with cameras?
Not necessarily. Camera-equipped robot vacuums offer genuine benefits, particularly for pet owners who want to monitor their animals remotely. The key is choosing brands with strong security track records and keeping devices updated. Brands like Roborock and iRobot have generally responded quickly to disclosed vulnerabilities. Covering the camera lens with tape when not using the remote viewing feature is also a simple and effective precaution.
