A software engineer’s playful attempt to steer his DJI Romo robot vacuum with a PlayStation 5 controller spiraled into a major security revelation, granting unintended access to roughly 7,000 devices worldwide and spotlighting vulnerabilities in smart home gadgets.
Sammy Azdoufal, an AI strategy specialist, said he aimed only to tinker with his own unit, enlisting the AI assistant Claude to modify the communication protocol linking the vacuum to DJI’s servers. However, a backend authentication flaw treated his device token as valid for thousands of others across more than 20 countries.
The breach exposed sensitive data, including live camera feeds, microphone audio, detailed floor plans, room layouts, battery levels, cleaning status, and device locations. In one instance, Azdoufal reportedly viewed a journalist’s vacuum operating in their living room in real time.
Azdoufal notified DJI, a Chinese company, which restricted the loophole by February 24, 2026. Two days later, the Romo model disappeared from DJI’s online store.
DJI confirmed a permission issue in its MQTT communication system and deployed automatic updates to secure the network. No widespread misuse was reported, but the incident underscores how everyday connected devices can become cyberattack vectors, especially those roaming homes with cameras and microphones.
This isn’t the first such scare.
In 2024, hackers commandeered the Chinese-made Ecovacs Deebot X2 robot vacuums in U.S. cities like Minnesota, Los Angeles, and El Paso, steering them remotely and blaring racial slurs through speakers.
Minnesota lawyer Daniel Swenson recalled his device malfunctioning while he watched TV with his family. “It sounded like a broken-up radio signal or something. You could hear snippets of maybe a voice,” he said, per ABC News.
After resetting it, the vacuum moved again, screaming obscenities like “F*** n******s” in front of his 13-year-old son. “I got the impression it was a kid, maybe a teenager,” Swenson added.
He worried about silent surveillance. “It was shock. And then it was like almost fear, disgust.”
The family kept the robot near their bathroom, heightening privacy fears. “Our youngest kids take showers in there. I just thought of it catching my kids, or even me, you know, not dressed.”
In LA, a hacked unit chased a dog while spewing abuse; in El Paso, another broadcast slurs late at night. Security researchers had warned Ecovacs months earlier about flaws, including a four-digit PIN that could be bypassed to access video feeds and remote controls.
Experts say such flaws highlight broader risks. Threat actors could escalate from data theft to real-world harms, such as tampering with thermostats during winter to extort or sabotage a nation-state. Regulations offer some safeguards: California’s IoT Security Law mandates reasonable protections, while the EU’s Cyber Resilience Act requires security-by-design for digital products.
Companies that manufacture hardware or software to be connected to real-world devices in consumers’ homes should integrate these threats into assessments, contracts, exercises, and response plans, according to an editorial from the International Association of Privacy Professionals. For consumers, the DJI and Ecovacs cases serve as a reminder: Devices promising convenience can invite unseen observers into private spaces if security lags behind innovation.
In Texas, Attorney General Ken Paxton has launched a legal battle against five major television manufacturers that use Smart TV technology to allegedly spy on consumers. The lawsuits claim that the manufacturers harvest viewing data without users’ knowledge or consent.
“Companies, especially those connected to the Chinese Communist Party, have no business illegally recording Americans’ devices inside their own homes,” Paxton said in a statement. He called the conduct “invasive, deceptive, and unlawful.”