Software Engineer Accidentally Takes Control of 7,000 Robot Vacuums, Exposing Massive IoT Security Flaw
TripleG News
20h ago
Software engineer Sammy Azdoufal set out to control his new DJI Romo robot vacuum using a PlayStation 5 controller, enlisting an AI coding assistant to reverse-engineer the device's communication with DJI's cloud servers. What began as a fun project quickly escalated when a backend authentication flaw allowed his single security token to grant access to approximately 7,000 vacuums across 24 countries. Azdoufal could view live camera feeds, activate microphones, compile detailed 2D floor plans of homes, and even remotely steer the devices—capabilities intended for navigation and voice commands.
Azdoufal responsibly reported the vulnerability to DJI and media outlets like The Verge and Popular Science instead of exploiting it, prompting the company to swiftly patch the flaw. His wife even began hiding the vacuum's camera out of privacy concerns, highlighting the immediate personal impact. DJI has not publicly commented, but the episode echoes recent smart home controversies, such as cloud-stored footage from Google Nest devices and Amazon Ring's surveillance partnerships.
This 'accidental hack' reveals profound risks in the Internet of Things (IoT) ecosystem, where everyday appliances like vacuums double as surveillance tools with weak authentication. Cybersecurity reports, including Thales' 2026 Data Threat Report, warn that AI integration amplifies these dangers, with credential theft as the top cloud attack vector and only 34% of organizations tracking sensitive data locations. As AI coding tools lower barriers for discovering flaws, experts like those at S&P Global's 451 Research call for a paradigm shift in identity governance and encryption to prevent scaled exploits.
Looking ahead, consumers should treat new smart devices cautiously—letting early adopters iron out bugs—while manufacturers prioritize least-privilege access and robust token validation. The vulnerability is now fixed for DJI Romo, but similar flaws likely lurk in other connected gadgets, urging the industry toward proactive security amid expanding AI agents in homes and enterprises.
Stay Ahead of the Curve
Join 10,000+ tech enthusiasts
Weekly digest · Curated picks · No spam
Related Articles
Iranian Drone Strikes Cripple AWS Data Centers in Middle East Amid Escalating Conflict
Amazon Web Services confirmed that drone strikes damaged three data centers in the UAE and Bahrain, causing structural harm, power outages, and service disruptions. The attacks, linked to Iran's retaliation against US and Israeli strikes, expose critical vulnerabilities in global cloud infrastructure.
Security Experts Slam X's New Encrypted Chat Over Key Storage Flaws
X is launching XChat with end-to-end encryption for direct messages, but cryptography experts warn that server-stored private keys undermine true privacy. The rollout sparks debate on whether the platform can be trusted for secure communication.
X Rolls Out Standalone Chat App Amid Rising Encryption and Privacy Doubts
X has launched a dedicated web-based chat app for direct messages, separating them from the main feed to rival apps like WhatsApp. Security experts urge caution over unproven encryption as the platform pushes its 'everything app' ambitions.