A Spanish software developer unintentionally gained control of thousands of DJI Romo robot vacuums worldwide while experimenting with his own device, shedding light on critical security weaknesses in smart home devices. The developer, Sammy Azdoufal, told CNN that he was attempting to connect his Romo vacuum to a PlayStation controller when he discovered that his application token granted access to other devices connected to DJI’s cloud platform. As a result, he unexpectedly gained control over approximately 7,000 vacuums, accessing live camera feeds, audio input, device locations, and mapping data. While Azdoufal clarified that he had no malicious intent, the incident exposed serious vulnerabilities in cloud access and device authentication for IoT systems.
The access provided to Azdoufal demonstrated that the cloud infrastructure managing the vacuums lacked sufficient permission checks, allowing a single token to interact with multiple devices across different countries. After recognizing the potential scope of his unintentional access, he promptly informed DJI of the issue. The company confirmed that a backend permission flaw had enabled the unintended access and moved quickly to patch the vulnerability. DJI stated that updates were already in progress prior to the disclosure and that the cloud systems have now been updated to prevent unauthorized access. The company also emphasized its ongoing commitment to security and processes for addressing vulnerabilities in its products.
Experts observing the incident highlight that it underscores broader concerns about privacy and security in the rapidly expanding smart home device ecosystem. As devices increasingly connect to cloud services, gaps in authentication and access control can allow even unintended actions to affect large numbers of users. The episode with DJI Romo vacuums demonstrates how cloud-based device management, while convenient, can present significant risks if robust verification and encryption measures are not implemented. Industry observers have emphasized that this incident reinforces the need for stricter security by design, secure token management, and continuous monitoring of device communication to prevent potential breaches.
Azdoufal’s experience also raises awareness about responsible disclosure in technology development. By reporting the vulnerability immediately, he allowed DJI to remediate the flaw before it could be exploited for malicious purposes. The episode demonstrates the importance of collaborative efforts between developers and manufacturers to maintain privacy and security across IoT devices. It also serves as a cautionary tale for users and organizations deploying connected devices, highlighting that even non-malicious experiments can inadvertently expose sensitive data. As smart home and robotic devices become more integrated into daily life, this incident emphasizes the need for continuous security vigilance, transparent reporting mechanisms, and robust safeguards to protect user data across interconnected platforms.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
