Man accidentally gains control of 7k robot vacuums

Source: Hacker News

Popular Science Daily Newsletter 💡
Breakthroughs, discoveries, and DIY tips – sent six days a week.

A DJI robot‑vacuum hack exposed thousands of homes

A software engineer’s attempt to steer his new DJI robot vacuum with a video‑game controller unintentionally gave him a glimpse into thousands of other people’s homes.

While building his own remote‑control app, Sammy Azdoufal used an AI coding assistant to reverse‑engineer how the robot communicated with DJI’s remote cloud servers. He soon discovered that the same credentials that let him see and control his own device also granted access to:

• Live camera feeds
• Microphone audio
• Maps and status data

…from nearly 7,000 other vacuums across 24 countries. The backend security bug effectively exposed an army of internet‑connected robots that, in the wrong hands, could have become surveillance tools—without owners ever knowing.

The DJI Romo. Image: DJI

Fortunately, Azdoufal did not exploit the flaw. He shared his findings with The Verge, which promptly contacted DJI to report the vulnerability. DJI tells Popular Science the issue has been resolved, but the episode underscores warnings from cybersecurity experts that internet‑connected robots and other smart‑home devices are attractive targets for hackers.

“Internet‑connected robots present attractive targets for hackers.” – Popular Science (source: arXiv pre‑print)

As more households adopt home robots—including newer, more interactive humanoid models (see example)—similar vulnerabilities could become harder to detect. AI‑powered coding tools, which lower the barrier for less‑technical users to exploit software flaws, may amplify these risks.

Community reaction

I can confirm that @DJIGlobal has finally fixed the HUGE vulnerability they had on their servers.
This vulnerability was discovered by the very skillful @n0tsa, and he reported it to DJI.
It allowed remote control (movements, microphone, camera) of over 10,000 robots…
— Gonzague 👨🏼‍💻
February 11 2026

Stumbling into a Massive Security Hole

The robot in question is the DJI Romo – an autonomous home vacuum that first launched in China last year and is now expanding to other countries. It retails for around $2,000 and is roughly the size of a large terrier or a small fridge when docked at its base station. Like other robot vacuums, it’s equipped with a range of sensors that help it navigate its surroundings and detect obstacles. Users can schedule and control it via an app, but it is designed to spend most of its time cleaning and mopping autonomously.

How the Device Works

• The Romo (and any modern autonomous vacuum) constantly collects visual data from the building it operates in.
• It must understand specific details about each room (e.g., kitchen vs. bedroom) to navigate correctly.
• Some sensor data is stored remotely on DJI’s servers rather than on the device itself.

For Azdoufal’s DIY‑controller idea to work, he needed a way for his app to communicate with DJI’s servers and extract a security token that proves he is the owner of the robot.

The Vulnerability

Instead of verifying a single token, the servers granted access for a small army of robots, essentially treating him as the owner of each one. This slip‑up allowed Azdoufal to:

• Tap into real‑time camera feeds.
• Activate the robots’ microphones.
• Compile 2‑D floor plans of the homes the robots were operating in.
• Infer approximate locations from the robots’ IP addresses.

Azdoufal insists that none of this amounts to “hacking” on his part; he simply “stumbled upon a major security issue.”

“DJI identified a vulnerability affecting DJI Home through internal review in late January and initiated remediation immediately,” DJI told Popular Science.
“The issue was addressed through two updates, with an initial patch deployed on February 8 and a follow‑up update completed on February 10. The fix was deployed automatically, and no user action is required.”

DJI added that it plans to “continue to implement additional security enhancements,” though it did not specify what those may entail.

Related: The best robot vacuums

Homeowners Are Grappling With the Privacy Cost of Smart Homes

The DJI security concerns come amid a period of growing unease about the surveillance capabilities of smart‑home technology. Earlier this month, Ring camera owners flooded social media after a controversial advertisement for the company’s pet‑finding “search‑party” feature was interpreted by some as a Trojan horse for broader monitoring.

Around the same time, reports that Google was able to retrieve video footage from a Nest Doorbell camera to assist in an abduction investigation (despite earlier indications that the footage had been deleted) reignited debate over how much control consumers truly have over their sensitive data.

Lawmakers from both parties in the U.S. have spent years warning that DJI and other Chinese‑tech manufacturers pose a unique security threat. Although the evidence for those claims is murky, it has helped justify the banning of certain Chinese‑made products.

The irony of many robot vacuums and other smart‑home devices is that, as a category, they have a long history of questionable security practices—even though they operate in some of our most private spaces. All signs suggest that the average person will soon welcome more cameras and microphones into their homes, not fewer.

• As of 2020, market‑research firm Parks Associates estimates that 54 million U.S. households had at least one smart‑home device installed.
• Other surveys show that households that already own a device often want more.

More Sophisticated Devices Are Arriving

The specific types of devices entering homes are becoming more sophisticated. Though still early, companies such as Tesla, Figure, and others are racing to build human‑like autonomous robots that can live in a home and perform chores.

A company called 1X is already retailing one of these humanoids, claiming it can clean dishes and crack walnuts—albeit often with some help from a human. Eventually, for any of these at‑home robot servants to function effectively, they will need unprecedented access to the intimate details of their owners’ homes. For a stalker or hacker, that represents a potential goldmine.

A Personal Anecdote

True to his word, Azdoufal found himself wrapped up in this mess even though all he wanted to do was drive his robot around with a joystick. On that front, mission accomplished:

Controlling DJI Romo vacuum with a PS5 controller

2025 PopSci – Best of What’s New
The 50 most important innovations of the year