Man Accidentally Gains Control of 7,000 Robot Vacuums
Source: Slashdot
Overview
A software engineer tried steering his robot vacuum with a videogame controller, reports Popular Science — but ended up with “a sneak peek into thousands of people’s homes.”
Discovery
While building his own remote‑control app, Sammy Azdoufal used an AI coding assistant to reverse‑engineer how the robot communicated with DJI’s remote cloud servers. He discovered that the same credentials that allowed him to see and control his own device also provided access to:
- Live camera feeds
- Microphone audio
- Maps and status data
These were available from nearly 7,000 other vacuums across 24 countries.
Potential Impact
The backend security bug effectively exposed an army of internet‑connected robots that, in the wrong hands, could have been turned into surveillance tools without owners ever knowing. Azdoufal chose not to exploit the flaw. He reported his findings to The Verge, which promptly contacted DJI — see the Verge article.
Azdoufal also noted that he could compile 2D floor plans of the homes the robots were operating in, and that a quick look at the robots’ IP addresses revealed their approximate locations.
DJI’s Response
DJI told Popular Science that the issue was addressed through two updates, with an initial patch deployed on February 8 and a follow‑up update completed on February 10.