CRW

Home Wiki

DJI Romo robot vacuum vulnerability

View on consumerrights.wiki ↗

Contents5
  1. Background
  2. Discovery and scope
  3. DJI's response
  4. Consumer response
  5. References

A critical cloud infrastructure flaw exposed the live camera feeds, microphone audio, and 2D floor plans of consumers to unauthorized remote access. DJI's backend servers inadvertently granted wildcard access[1] to over 10,000 total devices, which included approximately 6,700 DJI Romo robot vacuums and DJI Power portable battery stations.[2] The vulnerability was discovered in late January and patched in February 2026.[3]

Background

DJI launched its first robotic vacuum line, the DJI Romo, in China in August 2025[4] and in Europe in October 2025.[1] The lineup consists of the Romo P, Romo A, and Romo S models[4], priced between €1,299 and €1,899.[5] The vacuums utilize advanced drone obstacle sensing technology, including dual fisheye vision sensors and solid-state LiDAR, managed through the DJI Home app.[5] DJI did not officially launch the Romo in the United States.[5] However, the vulnerability later exposed devices located across the United States, Europe, and China.[6]

Discovery and scope

In early 2026, an engineer named Sammy Azdoufal attempted to build a custom application to control his DJI Romo vacuum using a PlayStation 5 controller. Azdoufal utilized Anthropic's[7] Claude Code AI coding assistant to reverse-engineer the communication protocols between his vacuum and DJI's remote cloud servers.[8][9]

While authenticating his client on DJI's MQTT message broker, Azdoufal used his vacuum's standard 14-digit serial number.[7] He discovered that the broker lacked topic-level access controls.[1] This architectural flaw meant his client was treated as their respective owner, allowing him to subscribe to wildcard topics and access the messages of all connected devices in plaintext at the application layer.[3]

Within nine minutes of connecting, Azdoufal's system cataloged 6,700 DJI devices across 24 different countries and collected over 100,000 messages.[2] The exposed data included live camera feeds, microphone audio, battery status, and generated floor plans.[1] The vulnerability also provided access to DJI Power portable battery stations, which run on the same MQTT infrastructure, bringing the total number of exposed devices to over 10,000.[2] The flaw was strictly limited to devices operating on the consumer DJI Home ecosystem.

DJI's response

DJI stated that it identified the vulnerability affecting DJI Home through an internal review in late January 2026 and initiated remediation immediately.[9] The company deployed two automated patches on February 8 and February 10 to address the wildcard access issue without requiring user action.[1][3]

Consumer response

Consumers mocked DJI's patching timeline after learning about the incident. Users on social media noted that DJI only fixed the issue in two days after facing public embarrassment, suggesting the company had the capability to resolve the flaw much earlier.[10]

The breach contributed to consumer fears regarding surveillance by foreign entities. The vulnerability was contextualized alongside ongoing litigation, such as Texas Attorney General Ken Paxton suing smart TV manufacturers over the unauthorized data collection of connected devices.[11]

References

  1. 1.0 1.1 1.2 1.3 1.4 Medium (February 17, 2026). "DJI Romo Security Breach: Researcher Remotely Accessed 7,000 Home Cameras, and One Hole Remains". Medium.
  2. 2.0 2.1 2.2 The Overspill (February 25, 2026). "Robot vacuum world control China start-up". The Overspill.
  3. 3.0 3.1 3.2 Smith, Ben (February 24, 2026). "Chinese Tech Flaw Exposed Live Feeds From Thousands of American Homes". RedState.
  4. 4.0 4.1 Singh, Ishveena (October 28, 2025). "DJI Romo new launch US". DroneDJ.
  5. 5.0 5.1 5.2 Crumley, Bruce (October 28, 2025). "DJI Romo vacuum Europe". DroneXL.
  6. SCWorld (February 27, 2026). "DJI robot vacuums expose sensitive data due to server vulnerability". SCWorld.
  7. 7.0 7.1 Malwarebytes (February 17, 2026). "Hobby coder accidentally creates vacuum robot army". Malwarebytes.
  8. Inc.com (February 18, 2026). "Huge Robot Vacuum Security Flaw Exposed After 1 Owner Accidentally Controlled Thousands Using an AI Tool". Inc.com.
  9. 9.0 9.1 BroBible (February 24, 2026). "Man Gains Control Of 7,000 Robot Vacuums Using Claude AI". BroBible.
  10. Western Journal (March 27, 2026). "Maybe It Wasn't a Bug: Internet Weighs in After Man Discovered He Could Access 7,000 Robotic Vacuums". Western Journal.
  11. Dallas Express (March 4, 2026). "7,000 DJI Romo Robot Vacuums Hacked: Live Cameras, Floor Plans Exposed in Massive Security Flaw". Dallas Express.
Filed under