In what might be the most spectacular own-goal in the recent history of IoT security, a software engineer has accidentally stumbled into “god-mode” access for roughly 7,000 DJI robot vacuums across 24 countries. The researcher, Sammy Azdoufal, wasn’t actually looking to lead a domestic robot uprising; he simply wanted to pilot his new, eye-wateringly expensive DJI Romo vacuum using a PlayStation 5 controller. Because, frankly, why wouldn’t you?
To make this modern-day tinkerer’s dream a reality, Azdoufal enlisted an AI coding assistant to help reverse-engineer the robot’s communication protocols. After successfully extracting his own device’s authentication token, he connected to DJI’s servers. But instead of a quiet “hello” from his solitary floor-scrubbing sidekick, an army of approximately 7,000 robots answered the call. The security hole granted him access to live camera and microphone feeds, real-time 2D floor plans of users’ homes, and the device status of thousands of entirely oblivious owners.
The root of the problem was a security oversight so basic it’s almost impressive. DJI’s backend servers authenticated the user’s token but apparently forgot the most crucial next step: verifying that the user actually owned the specific device they were trying to access. It was the digital equivalent of a master key that works on every front door in the country. Azdoufal noted that he “didn’t infringe any rules, I didn’t bypass, I didn’t crack, brute force, whatever,” highlighting the fact that he essentially just walked through a door that had been left wide open.
Why does this matter?
This incident is a textbook example of the perils of modern smart home security. We are increasingly inviting devices with intimate access to our private lives—complete with eyes and ears—into our homes, only to find they are sometimes secured with the digital equivalent of a flimsy garden gate latch. While the potential for a massive, global privacy breach was staggering, Azdoufal did the decent thing and reported the vulnerability immediately.
To their credit, DJI didn’t muck about. After being notified, the company reportedly patched the critical vulnerability with a server-side fix within two days, requiring no manual updates from the users themselves. While questions remain as to how such a fundamental flaw made it past the drawing board and into production, the swift response prevented a potential disaster. It stands as a sharp lesson for other IoT manufacturers: lock your doors, and perhaps double-check that your keys don’t open every other house on the street.
