Sammy Azdoufal bought a DJI RoboVac robot vacuum and thought it would be fun to control it with a PlayStation controller. Reasonable enough — the thing costs two grand and looks like a small refrigerator on wheels. Why not make it do donuts in the kitchen?
So he fired up an AI coding assistant to reverse-engineer how the vacuum talked to DJI’s cloud servers. Standard DIY tinkering. Except when he logged in, he didn’t just get access to his vacuum. He got access to nearly 7,000 of them — live camera feeds, microphone audio, 2D floor plans, and location data from 24 countries.
Not because he “hacked” anything. Because DJI’s backend security was wide open.
What He Could See (And Didn’t Use)
The credentials that should have verified Azdoufal as the owner of his robot vacuum instead treated him as the owner of thousands. That meant he could:
Watch live camera feeds from inside strangers’ homes
Turn on microphones and listen in
Pull 2D floor plans showing room layouts
Track approximate locations via IP addresses
All without triggering a single alert. The robot vacuum security flaw wasn’t theoretical — it was operational, exploitable, and sitting there waiting for someone less ethical to stumble across it.
Azdoufal didn’t exploit it. He contacted The Verge, which contacted DJI. The company says the issue’s been “resolved” through two updates deployed in early February. No user action required — the fix rolled out automatically.
The Problem Isn’t Just DJI
The DJI Romo launched in China last year and is expanding globally. It’s an autonomous vacuum equipped with sensors to navigate rooms, detect obstacles, and distinguish a kitchen from a bedroom. Like most modern robot vacuums, it stores visual data remotely on company servers rather than on the device itself.
That’s where the trouble starts.
For these devices to function, they need constant access to intimate details about your home — room layouts, furniture placement, and daily routines. For a stalker or hacker, that’s a goldmine. And as more households adopt smart home devices (54 million U.S. households as of 2020, according to Parks Associates), the attack surface continues to expand.
The irony: robot vacuums and other smart home gadgets have a long history of questionable security practices, even though they operate in some of our most private spaces.
The Surveillance Creep Is Already Here
The DJI incident landed during a particularly twitchy moment for smart home privacy. Earlier this month, Ring camera owners flooded social media after a controversial ad for the company’s pet-finding “search party” feature was interpreted as a Trojan horse for broader monitoring. Around the same time, reports surfaced that Google retrieved video footage from a Nest Doorbell camera to assist in an abduction investigation — despite earlier indications that the footage had been deleted.
Then there’s the political angle. U.S. lawmakers from both parties have spent years warning that DJI and other Chinese tech manufacturers pose a unique security threat — claims that remain murky but have nonetheless justified banning certain Chinese-made products.
The evidence for those claims is debatable. The fact that DJI left 7,000 robot vacuums wide open for anyone with an AI coding assistant and a weekend project? Less so.
What Comes Next: Humanoid Robots in Your Living Room
The specific types of devices entering homes are becoming more sophisticated. Tesla, Figure, and other companies are racing to build human-like autonomous robots that can live in a home and perform chores. A company called 1X is already retailing one of these humanoids, claiming it can clean dishes and crack walnuts — albeit often with some help from a human.
For any of these at-home robot servants to function effectively, they’ll need unprecedented access to the intimate details of their owners’ homes. And if a $2,000 vacuum can accidentally expose 7,000 households, what happens when the robot can open your fridge, fold your laundry, and listen to every conversation in your house?
AI-powered coding tools — the same ones Azdoufal used — make it easier for people with less technical knowledge to exploit software flaws. That could further amplify the risk.
The Joystick Works Now, By the Way
True to his word, Azdoufal found himself wrapped up in this mess even though all he wanted to do was drive his robot around with a joystick. On that front, mission accomplished.
The security flaw in the robot vacuum has been patched. The larger problem — that we’re inviting surveillance devices into our homes faster than anyone can secure them — remains wide open.