February has been a turbulent month for DJI. The Chinese tech giant, best known for making drones, escalated its fight against the U.S. drone ban by suing the FCC. Then the internet erupted over an entirely different DJI device: The Romo robot vacuum.
Thousands of Romo vacuums and their live cameras worldwide were hacked — and not by an evil mastermind sitting in a room surrounded by screens, but by a guy trying to get his PS5 controller to control his robot vacuum.
Sammy Azdoufal told The Verge he wasn’t trying to hack anyone else’s robot vacuum. It was merely a fun project for the software engineer, who alerted DJI about its massive authentication slip-up — while sharing how little work it took to access the ins and outs of a Romo owner’s home.
And yes, AI was involved. Azdoufal specializes in AI strategy; he got coding help from AI assistant Claude to change the communication protocol between DJI’s servers and his Romo.
After creating a custom app for his PlayStation setup, Azdoufal discovered he was looking at way more than his own robot vacuum’s data. He’d accidentally unlocked the data of thousands of DJI robot vacuum owners around the world.
The exposed information wasn’t just 3D floor plans of homes, which would be bad enough. But the device’s live camera feeds and microphone audio were also accessible.
Mashable Trend Report
As of Feb. 24, DJI has patched the problem by restricting access to this authentication loophole, Azdoufal found. Meanwhile, the Romo itself appears to have vanished from the online DJI Store, as of Feb. 26.
New fear unlocked: Your robot vacuum as a spy
Even with this issue fixed, the idea that someone could spy on you via your robot vacuum doesn’t exactly boost confidence in the whole category. What if another brand of camera-toting robot vacuum brand has a similar undiscovered security flaw — and what if the person who discovers it isn’t as goodhearted as Azdoufal?
We’ve had glimpses of this kind of vulnerability in the past. In 2024, multiple Ecovacs Deebot X2 robot vacuums across the U.S. were hacked and made to yell racial slurs at owners. Other smart home devices with cameras have faced security breaches, from baby monitors to smart doorbells.
But a robot vacuum is the only kind of device that regularly roves around your home. That gives this vulnerability a unique sense of foreboding, perhaps enough to provide the plot to a found footage horror film.
And of course, there are even more opportunities for bad actors when AI has access to personal info.
I test robot vacuums for a living, and I really don’t want to have to be paranoid about their camera usage. The livestream camera is an incredibly comforting robot vacuum feature for pet parents who get anxious about leaving pets at home alone.
All of the robovacs I’ve tested have announced out loud when they’re in remote viewing mode. But not all robot vacuums provide that courtesy notification (the DJI Romo, for one, does not).
In any case, if a hacker was able to get to the point that they could control the vacuum’s camera, would it be that hard for them to disable the warning? While the issue remains, it might be wise to disable your vacuum’s camera, at least when not in use, with the lowest-tech hack of all: putting tape over it.
Topics
Cybersecurity
Robot Vacuums
