Ever get that feeling you’re being watched? Well, if you own a DJI Romo robot vacuum, you weren’t just being paranoid. It turns out your little dirt-sucking friend might have been sharing your deepest, darkest secrets (like how often you actually clean) with about 7,000 other vacuums.

Meet our protagonist, Sammy Azdoufal, a French programmer who committed the heinous crime of wanting to drive his vacuum with a PlayStation controller. A noble goal, surely. In his quest for this pinnacle of home automation, he “accidentally” tore a hole in the fabric of IoT security, exposing thousands of users to, let’s say, unauthorized observation.

The “Oops, I Hacked The World” Button

Don’t picture a scene from a spy movie. Azdoufal didn’t need to rappel from the ceiling or type furiously on three keyboards at once. With the “help” of an AI assistant, he simply used his own legitimate login credentials. The problem? DJI, in its infinite wisdom, had designed its cloud system so that one valid key was basically a master key. It wasn’t a bug; it was a “feature” that gave one curious user access to a global network of devices.

According to reports, here’s what our accidental super-spy could tap into across 24 countries:

• Live video feeds from the vacuums’ cameras. Hope you were dressed!
• Microphone audio. Yes, your vacuum was a great listener.
• Real-time 2D floor maps of users’ homes. Because nothing says privacy like sharing your floor plan with a stranger.
• Juicy telemetry data like battery status and cleaning routes, offering a thrilling look into your daily routines.

As if that wasn’t enough, he also found a PIN bypass for the camera. So much for that extra layer of “security.”

Certifiably Secure, Practically Useless

Here’s the best part. DJI proudly advertised that these vacuums were dripping with security certifications from ETSI, EU, and UL. These prestigious-sounding acronyms, however, proved to be about as effective as a screen door on a submarine. The fact that a single hobbyist could unravel their “security” with a gamepad and some curiosity raises the question: what exactly are these certifications certifying?

It seems these certifications are the tech equivalent of a “participant” ribbon—looks nice on the box, but doesn’t mean you actually won anything. Or, in this case, secured anything.

Clean Up on Aisle 7,000

After Azdoufal’s initial attempts to contact DJI were met with the corporate equivalent of a dial tone, he went to the media. Shockingly, that got their attention! DJI quickly rolled out patches and paid Azdoufal a $30,000 bug bounty. Some might call it a reward for responsible disclosure. A more cynical person might call it the going rate for not publicizing how to turn 7,000 robot vacuums into a spy network.

This whole debacle serves as a beautiful, terrifying reminder of the world we’re building. We fill our homes with “smart” devices that have more cameras and microphones than a reality TV show set, all protected by little more than a flimsy promise and a worthless certificate.

So next time your robot vacuum bumps into your foot, just remember: it might be a clumsy accident, or it might be sizing you up. You can never be too sure.

---

Sources

Yeah, I don’t just make this stuff up. Here’s the proof:

1. https://www.theverge.com/news/890982/dji-pay-sammy-azdoufal-robot-vacuum-hack-romo-security
2. https://www.tomshardware.com/tech-industry/cyber-security/engineer-receives-usd30-000-for-exposing-a-vulnerability-affecting-7-000-robot-vacuum-cleaners-tinkerer-just-wanted-to-drive-his-robot-vacuum-with-a-ps5-controller
3. https://www.webpronews.com/dji-offered-a-hacker-100-to-keep-quiet-about-a-robot-vacuum-security-flaw-he-said-no/
4. https://www.businessstory.org/2026/03/06/dji-is-set-to-compensate-the-individual-who-inadvertently-hacked-7000-romo-robovacs-with-30000/
5. https://techstory.in/dji-compensates-engineer-who-accidentally-hacked-7000-vacuums/
6. https://www.malwarebytes.com/blog/news/2026/02/hobby-coder-accidentally-creates-vacuum-robot-army
7. https://www.wespeakiot.com/blatant-design-flaw-how-djis-romo-robot-vacuum-became-a-global-security-risk/