A security flaw that exposed thousands of DJI Romo robot vacuums to unauthorized access has been unintentionally revealed after a tinkerer built an app to control their own device with a PlayStation controller. According to The Verge, this problem allowed the app to retrieve accurate floor plans, access live camera and microphone feeds, and even let it remotely control the affected devices.
This was accidentally discovered by AI strategist Sammy Adoufal, who used Claude Code to reverse engineer the protocol used by the DJI Romo to communicate with its servers. But instead of just letting him access his own device, it instead handed over the keys to around 6,700 robot vacuums located across the world. Azdoufal said that he didn’t hack into DJI systems — all that he did was to get the private token of his own Romo vacuum. “I didn’t infringe any rules, I didn’t bypass, I didn’t crack, brute force, whatever,” he said to The Verge. Because of this, he was able to access live servers across the world, including the U.S., Europe, and even China.
This isn’t the first time that a robot vacuum has been found to be mishandling the data that it gathers. Just last year, an engineer discovered that his iLife A11 smart vacuum had been consistently sending logs and telemetry data back to the manufacturer. When he blocked it from reporting back all that information through his network, the maker sent a kill code to disable the device, essentially bricking it remotely. With a little bit of tinkering and ingenuity, he was able to revive and use his device completely locally, proving that a robot vacuum does not need to be connected to the cloud 24/7 to operate as intended.
Follow 3DTested on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.
