A major security flaw in the DJI Romo robot vacuum allowed a researcher to remotely access thousands of devices around the world, exposing camera feeds, microphones, and home maps.
The issue was discovered accidentally by Sammy Azdoufal, an AI strategist who was experimenting with ways to control his own vacuum using a PlayStation 5 controller. While reverse-engineering the vacuum’s communication system and building a custom control app, he noticed that the app was receiving data from many other Romo vacuums.
Further investigation revealed that the devices communicated with DJI’s cloud servers using the MQTT messaging protocol. Because of weak access controls on the server, any authenticated device token could subscribe to messages from many other devices on the network. As a result, Azdoufal could see information from roughly 7,000 robot vacuums in more than 20 countries.
The exposed data included:
-
Live camera feeds from the vacuum’s onboard camera
-
Microphone audio
-
Cleaning routes and detailed 2D floor maps of homes
-
Device status such as battery level and location
In some cases, he could even bypass the camera PIN protection and remotely view video streams.
Although communication between the devices and servers was encrypted, the lack of proper access controls meant that once someone authenticated with a valid token, they could potentially access data from many other devices.
After the vulnerability was reported, DJI released server-side updates in early February 2026 to fix the issue. Because the problem was on the backend, users did not need to manually update their devices. However, the incident raised serious concerns about privacy and security in smart home devices that include cameras and microphones.
