Sammy Azdoufal just wanted to control his shiny new DJI Romo robot vacuum with a PlayStation 5 controller. Like any good software engineer with too much time and a $2,000 cleaning robot, he fired up Claude AI to reverse-engineer the DJI Home app’s communication protocols. What started as harmless tinkering turned into something straight out of a cyberpunk nightmare—his authentication token suddenly granted access to roughly 7,000 other Romo vacuums across 24 countries. Your typical Tuesday became an accidental peek into thousands of strangers’ living rooms.
When Smart Homes Become Glass Houses
Live camera feeds and floor plans exposed intimate details of homes worldwide.
Azdoufal discovered he could tap into live camera feeds, eavesdrop through microphones, download detailed floor plans, and even control the vacuums remotely. According to The Verge, which verified the breach, you could map someone’s entire home layout using just their vacuum’s serial number. DJI Power stations also appeared in the exposed data, suggesting the vulnerability ran deeper than just cleaning robots. Think Ring doorbell privacy concerns, but multiplied across every room in your house. This incident highlights the growing surveillance risks that come with connected home devices.
DJI’s Damage Control Efforts
Multiple patches deployed, but initial fixes left security gaps open.
DJI confirmed discovering the backend permission flaw internally in late January 2026, rolling out automatic updates on February 8th and 10th. The company claims the issue is “resolved,” but Azdoufal and The Verge noted incomplete initial fixes. Problems like PIN-bypass video streaming persisted, plus a second undisclosed severe vulnerability awaiting patches. DJI’s response follows the familiar playbook: acknowledge, patch quickly, declare victory—while hoping nobody notices the remaining cracks.
The Bigger Robot Vacuum Security Problem
This incident highlights a disturbing pattern of vulnerabilities in connected cleaning devices.
Robot vacuums have become surveillance liability magnets. Ecovacs devices were compromised in 2024, Dreame units had flaws in 2025, and now DJI joins the hall of shame. The concerning twist? AI coding assistants like Claude are lowering the technical barrier for discovering these exploits.
As humanoid robots from Tesla and others prepare to enter homes with even more sensors and capabilities, this Romo incident serves as a preview of smart home privacy nightmares. Your cleaning schedule shouldn’t come with a side of global surveillance risk.
