User accidentally gains control of over 6,700 robot vacuums while tinkering with their own device to enable control with a PlayStation controller — security flaw reveals floor plans and live video feeds

Source: Tom’s Hardware

Overview

A security flaw that exposed thousands of DJI Romo robot vacuums to unauthorized access was unintentionally revealed after a tinkerer built an app to control their own device with a PlayStation controller. According to The Verge, the problem allowed the app to retrieve accurate floor plans, access live camera and microphone feeds, and even remotely control the affected devices.

Discovery

The issue was discovered by AI strategist Sammy Adoufal, who used Claude Code to reverse‑engineer the protocol the DJI Romo uses to communicate with its servers. Instead of limiting access to his own vacuum, the reverse‑engineered token granted control over roughly 6,700 Romo units worldwide—including devices in the United States, Europe, and China.

Adoufal emphasized that he did not hack DJI’s backend systems; he merely obtained the private token for his own Romo. “I didn’t infringe any rules, I didn’t bypass, I didn’t crack, brute force, whatever,” he told The Verge. The token, however, allowed him to connect to live servers and interact with any vacuum that accepted the same authentication method.

Prior Incidents

This is not the first time a robot vacuum has mishandled user data. In 2023, an engineer found that his iLife A11 smart vacuum continuously sent logs and telemetry back to the manufacturer. When he blocked the outbound traffic, the maker responded by issuing a remote “kill code” that effectively bricked the device. The engineer later revived the vacuum by running it locally with custom hardware and Python scripts, demonstrating that continuous cloud connectivity is not required for normal operation.