DJI’s first robot vacuum, the DJI Romo, is turning heads for its distinctive transparent design. But a recent incident suggests the company may have spent more time making the device look futuristic than making it resilient against cyber threats. In an eye-opening security slip-up, one curious owner reportedly gained unintended access to thousands of DJI Romo robot vacuums around the world—simply while trying to do a fun controller mod.
The story starts with a simple experiment. A programmer named Sammy Azdoufal wanted to drive his DJI Romo using a PlayStation 5 DualSense controller, essentially turning the robot vacuum into a remote-controlled gadget. To make that work, he built a custom app designed to communicate through DJI’s servers. The expectation was straightforward: authenticate his own robot and send movement commands like any normal connected smart home device.
Instead, something alarming happened. The server-side authorization didn’t just validate access to his own Romo. It reportedly granted him access to every DJI Romo that was active at the time—around 7,000 units globally. In other words, a single token associated with one device appeared to unlock system-wide access, exposing other users’ robot vacuums as if they were his.
That’s where the incident shifts from a quirky DIY project to a serious smart home security warning. With that level of access, the developer could do far more than steer a robot vacuum around. He could reportedly interact with features that no stranger should ever be able to touch, including microphones and speakers. In practice, that kind of vulnerability could allow someone to listen in, play audio into a home, and access sensitive device data without needing to “hack” in the traditional sense.
Even more concerning, the data potentially available went beyond simple controls. Information tied to IP addresses could be used to estimate a device’s approximate location. Robot vacuums can also generate room maps as they navigate—data that may reveal the layout of a home. As smart home devices become more advanced, they often collect increasingly intimate details about daily life, and robot vacuums are a prime example: they know where people live, how rooms are arranged, and when the device is active.
According to the developer, he didn’t bypass protections or break through security barriers to obtain that broad access. The issue appeared to stem from how DJI’s servers handled authentication and authorization—accepting a token from one Romo unit as if it were permission to access data and controls for all units. That’s a major design flaw because it turns what should be a tightly scoped credential into a master key.
DJI reportedly addressed the problem on Wednesday, February 11, closing the loophole. Still, the episode is a clear reminder of what’s at stake when smart home security falls short. When a connected appliance can record audio, broadcast sound, map interiors, and report network details, even a single backend mistake can scale into a privacy risk affecting thousands of households at once.
For consumers, the takeaway is simple but important: smart home convenience always comes with responsibility—from manufacturers who must implement strict access controls, and from buyers who should treat devices like robot vacuums as real internet-connected computers. Incidents like this show how quickly a “harmless” gadget can become a serious security concern when protections aren’t built to match the data these devices can collect.
