DJI robot vacuum cameras accidentally hacked in security nightmare

February was an eventful month for DJI. The Chinese tech giant, best known for making drones, has stepped up its fight against the US drone ban by suing the FCC. Then the internet broke over an entirely different DJI device: the Romo robot vacuum.

Thousands of Romo vacuums and their live cameras around the world have been hacked – and not by an evil mastermind sitting in a room surrounded by screens, but by a guy trying to get his PS5 controller to control his robot vacuum.

Sammy Azdoufal told The Verge he wasn’t while trying hack someone else’s robot vacuum cleaner. It was just a fun project for the software engineer, who alerted DJI to its massive authentication error, while also sharing how little work it took to get to the ins and outs of a Romo owner’s home.

And yes, AI was involved. Azdoufal specializes in AI strategy; he got help from AI assistant Claude to change the communication protocol between DJI’s servers and his Romo.

After creating a custom app for his PlayStation setup, Azdoufal discovered he was looking path more than the data from its own robot vacuum cleaner. He had accidentally unlocked the data of thousands of DJI robot vacuum owners around the world.

The information exposed wasn’t just 3D floor plans of houses, which would be bad enough. But live camera feeds and audio from the device’s microphone were also accessible.

As of February 24, DJI fixed the problem by restricting access to this authentication flaw, Azdoufal discovered. Meanwhile, the Romo itself appears to have disappeared from the DJI Store online on February 26.

New Fear Unlocked: Your Robot Vacuum as a Spy

Even with this issue resolved, the idea of ​​someone being able to spy on you through your robot vacuum doesn’t exactly build trust in the category as a whole. What if another brand of camera-equipped robot vacuum cleaner had a similar undiscovered security flaw – what if the person who discovered it wasn’t as kind-hearted as Azdoufal?

We’ve had glimpses of this type of vulnerability in the past. In 2024, several Ecovacs Deebot X2 robot vacuum cleaners across the United States were hacked and forced to shout racist slurs at their owners. Other smart home devices with cameras have faced security breaches, from baby monitors to smart doorbells.

But a robot vacuum is the only type of device that moves around your home regularly. This gives this vulnerability a unique sense of foreboding, perhaps enough to provide the plot for a found-footage horror film.

And of course, bad actors have even more opportunities when AI has access to personal information.

I test robot vacuum cleaners for a living, and I Really don’t want to be paranoid about using their camera. The live camera is an incredibly comforting robot vacuum feature for pet parents who are worried about leaving their pets home alone.

All Robovacs I tested announced loudly when in remote viewing mode. But not all robot vacuums provide this courtesy notification (the DJI Romo, for example, doesn’t).

In any case, if a hacker were able to control the vacuum cleaner’s camera, would it be so difficult for them to turn off the warning? While the problem persists, it might be a good idea to disable your vacuum’s camera, at least when it’s not in use, with the simplest hack: putting tape on it.