How a man accidentally hacked 7,000 DJI robot vacuum cleaners using PS5 controller

• Engineer finds major flaw in DJI robot vacuum cloud security
• Vulnerability exposed live feeds and data from 7,000 devices
• Incident highlights privacy risks of connected home appliances

Did our AI summary help?

A routine tech experiment took an unexpected turn when software engineer Sammy Azdoufal unintentionally exposed a significant security flaw affecting thousands of connected robot vacuum cleaners. What began as a playful project to control his own robot with a PS5 controller evolved into the discovery of a cloud vulnerability that allowed access to data from roughly 7,000 DJI robot vacuum cleaners worldwide.

Azdoufal, who works in AI strategy, hooked up his DJI Romo robot vacuum to a PlayStation 5 controller simply because it “sounded fun.” Using the AI coding assistant Claude Code, he reverse-engineered how the Romo communicated with DJI’s remote cloud servers. In the process, he built a custom app to control the robot. But that app didn’t just talk to his own device — it also received responses tied to other Romo units globally.

As Azdoufal explored further, he found that the same app credentials could pull in live camera feeds, microphone audio, battery status, and generated floor maps from thousands of other devices. These robots, designed for automated home cleaning and navigation, contain cameras and sensors that rely on cloud connectivity. Because the backend authentication was poorly secured, responses intended for one device were accessible to any client that could authenticate — which his experimental setup did.

To demonstrate the scope of the issue, a reporter from The Verge gave Azdoufal the serial number of a Romo unit they had been testing. Within minutes, Azdoufal could see that vacuum’s real-time location, floor layout, and status — despite having no direct access to that specific device. This showed how widespread the vulnerability could be.