Software engineer Sammy Azdoufal had a humble goal: He wanted to control his robot vacuum with a PS5 gamepad, because controlling things with a gamepad is cool. Shortly after pursuing that dream, however, Azdoufal found he had gained control of over 7,000 robots that were happy to provide him camera feeds and floor plans of strangers' homes in two dozen countries across the globe (via The Verge).
Azdoufal's field promotion to international robot commander occurred after tasking Claude Code with analyzing the traffic between his newly purchased DJI Romo vacuum and the manufacturer's servers. But when the security token it provided gave him access to not just his DJI Romo, but to all DJI Romos around the world, it was clear that he'd stumbled upon a glaring security flaw.
Every three seconds, Azdoufal's Claude-built app collected the serial numbers of thousands of robots pinging back to home base, reporting information about their cleaning routes, their charge states, obstacles they'd encountered. He could activate their on-board cameras and microphones. He could reconstruct the 2D floor plans of their owners' homes using their recorded spatial data. And with each machine's IP address, he could approximate the rough location of each robot vacuum's household.
DJI's security oversight had delivered an entire global surveillance apparatus to a guy who just wanted to drive his vacuum with a DualSense for kicks.
DJI issued a patch to relevant vacuums that addressed the security oversight within days of being contacted by Azdoufal and The Verge, and a spokesperson admitted that "a backend permission validation issue affecting MQTT-based communication between the device and the server" allowed "theoretical potential for unauthorized access to live video of ROMO device." And really, who among us hasn't created a backend permission validation issue affecting MQTT-based communication?
Azdoufal says that some of the vulnerabilities he's found through his Claude-empowered prodding remain unaddressed, however. DJI has committed to stitching up those remaining holes "within weeks," but we're all left to provide our own unsettling explanations as for why a vacuum even needs a microphone in the first place. Hearing isn't a sense that vacuums need. It mostly just needs the vacuuming-relevant ones.
Given our continuing reckless descent into electric woe, it should come as no surprise that this isn't the first case of robovac espionage. In 2024, hackers utilized security flaws in Ecovacs vacuum cleaners to spy on their owners, assail them with slurs, and harass their dogs. It's the price we've elected to pay when every internet-enabled device we've allowed into our home is one whose security engineers might have been content with saying "Eh, good enough" before pushing it to market. Personally, I prefer my home at a comfortable level of unintelligence, and I'm pleased to contribute to that healthy median.
That's not to say smart devices are entirely irredeemable, however. After all, Azdoufal did eventually get his vacuum's gamepad control working. Worth it?
