How one guy accidentally hacked all a company’s robot vacuums

Source: Android Authority

TL;DR

• A DJI Romo vacuum owner tried to code an app to control his vacuum with a PS5 controller.
• Insufficient authentication let him access data streams from the entire fleet of DJI vacuums.
• DJI has patched the major security hole, but other issues (e.g., camera‑feed PIN override) remain.

The Hack

Sammy Azdoufal wanted to drive his DJI Romo vacuum using a PS5 controller. He used Anthropic’s Claude Code to analyze the official DJI app and reverse‑engineer the communication protocol. Claude succeeded, but the resulting tool could control all DJI vacuums—and even the company’s power stations—because the authentication token it extracted was not device‑specific.

Azdoufal told The Verge about his experience: the remote‑vacuum‑control app suddenly displayed floor‑plan scans and live camera feeds from strangers’ devices located thousands of miles away.

Technical Details

• Protocol: The devices communicate with DJI’s servers via the MQTT protocol.
• Authentication flaw: DJI issued a single authentication token that was not bound to an individual vacuum. Possessing that token allowed unrestricted access to any device linked to the service.
• Data exposed: Floor‑plan maps, live camera streams, and other telemetry from all users’ vacuums and power stations.

Impact and DJI’s Response

• Patch: DJI has since closed the primary loophole, preventing users from accessing other people’s devices with a stolen token.
• Remaining issues: Some vulnerabilities persist, such as the ability to override the PIN required to view vacuum camera feeds. These were discovered because the AI‑generated app exposed more functionality than intended.

References

• The Verge article on the DJI Romo vulnerability
• Android Authority: Making apps with AI
• DJI Romo robot vacuum launch coverage
• Comment Policy