A widely used camera-equipped robot vacuum from DJI was found to be exposing live video, audio, and home maps after a DIY experimenter stumbled into a massive authentication flaw, sparking new fears about roving lenses inside private spaces.
The affected model, DJI’s Romo robot vacuum, became the center of an unexpected security incident when software engineer Sammy Azdoufal discovered he could access data from other owners’ devices while trying to make a PlayStation controller steer his own bot. He told The Verge he responsibly reported the issue to DJI. In a twist emblematic of today’s tooling, he also used an AI coding assistant to help modify the protocol used between the vacuum and DJI’s servers.
Unlike a doorbell or a baby monitor, a robot vacuum can roll into bedrooms and home offices. That mobility makes any camera breach more invasive by design, turning a convenience gadget into a potential rolling surveillance node.
How a server-side authentication flaw exposed device data
Based on Azdoufal’s account, the exposure stemmed from a server-side authentication gap that failed to adequately isolate device data. In practice, it appears to be a classic multi-tenant security failure: the cloud interface didn’t consistently ensure that a requester owned the device they were querying. Issues like this map closely to the OWASP IoT Top 10, particularly Broken Authentication and Insecure Ecosystem Interfaces.
After building a custom app to pilot his Romo, Azdoufal realized the interface surfaced more than his own vacuum’s telemetry. He could see other users’ 3D floor maps, live video from onboard cameras, and even microphone audio—an intrusive trifecta that goes well beyond the typical spill of metadata. He emphasized that his goal was not to spy; the discovery was incidental and promptly reported.
DJI’s response, current status, and what we know now
DJI has restricted access to the vulnerable pathway and said the problem was patched, according to Azdoufal’s follow-up testing. The Romo listing also disappeared from DJI’s online store, a signal that the company is reassessing distribution while the incident is reviewed. DJI has not publicly detailed the root cause or the number of users affected at the time of writing.
Security practitioners say this is a preventable class of bug. Firms like NCC Group and Rapid7 have long warned that cloud backends for smart-home gear are a frequent weak point. Independent audits and certifications—such as the ioXt Alliance profile or UL Solutions’ IoT Security Rating—can help verify that basics like mutual authentication, strict authorization checks, and robust logging are in place.
Why this incident matters for robot vacuums beyond one brand
The Romo case is not happening in a vacuum. Last year, multiple Ecovacs Deebot X2 units in the U.S. were reportedly hijacked to blare slurs over their speakers, underscoring how quickly a household helper can turn hostile. Earlier, an investigation by MIT Technology Review showed how images from test Roomba devices ended up in external training datasets, spotlighting how data can spill even without a live hack.
The broader trend is clear: more robot vacuums now ship with HD cameras and microphones to navigate tight spaces, recognize obstacles, and offer pet check-ins. That upgrades convenience—and the stakes. A mobile camera that maps your living room and peeks under desks is categorically more sensitive than most smart-home sensors.
Regulatory pressure is building, too. The UK’s Product Security and Telecommunications Infrastructure regime now requires connected products to have unique credentials and a public vulnerability disclosure program. In the U.S., the Cyber Trust Mark is rolling out to label consumer IoT that meets baseline protections, and NIST’s IoT baselines (NISTIR 8259A) push vendors toward secure-by-design defaults. Europe’s forthcoming Cyber Resilience Act will further raise expectations for lifecycle security.
What robot vacuum owners should do right now to stay safe
- Update firmware immediately and keep auto-updates on.
- If your vacuum offers remote viewing, disable it by default and enable only when needed.
- If there’s no physical shutter, cover the camera when not in use and turn off the microphone in settings.
- Put the vacuum on a guest Wi‑Fi or dedicated IoT network, not the same SSID as work laptops or NAS drives.
- Use strong, unique passwords for the app and enable two-factor authentication.
- If your router supports it, block the device’s internet access except during updates.
- Audit app permissions and data retention.
- Delete stored maps you don’t need, opt out of cloud backups where possible, and review which family members or “skills” have control rights.
- Check whether the vendor offers a bug-bounty or publishes security advisories and transparency reports—signs they take disclosure seriously.
- When buying, prefer models with a hardware privacy shutter, local video processing, and independent security certifications.
- Look for vendors that commit to timely patches and publish a clear support window; long-lived devices with short-lived support are a poor match for a camera on wheels.
The bottom line on this accidental robot vacuum hack
This was an accidental hack with very real consequences: a simple misstep in cloud authentication allegedly opened thousands of living rooms to strangers. DJI’s swift mitigation is welcome, but the lesson is broader—if your vacuum can see your life, it deserves the same scrutiny you’d give a security camera. Trust in smart-home robots isn’t a feature; it’s a security practice that must be proven every day.
