DJI Romo robot vacuum vulnerability: Difference between revisions

(One intermediate revision by the same user not shown)

Line 1:

~~{{stub}}~~

{{IncidentCargo

|Company=DJI

|StartDate=2026-02-22

|StartDate=2026-01-25

|EndDate=2026-02-22

|EndDate=2026-02-10

|Status=Resolved

|ProductLine=DJI

|ProductLine=DJI Romo, DJI Power

|Product=DJI Romo

|Product=DJI Romo P, DJI Romo A, DJI Romo S, DJI Power

|ArticleType=~~Product~~

|ArticleType=Incident

|Description=~~DJI vacuum cleaners get accidentally hacked by guy using Claude Code.~~

|Type=Security Vulnerability

}}A vulnerability in [[DJI~~]] Romo vacuums was discovered in 2025 which would~~'~~ve allowed malicious actors to remotely access~~ and ~~control all of them without hacking into DJI servers.<ref name="Verge">{{Cite web |last=Hollister |first=Sean |date=2026-02-14 |title=The DJI Romo robovac had security so poor~~, ~~this man remotely accessed thousands of them |url=https://www.theverge.com/tech/879088/dji-romo-hack-vulnerability-~~remote~~-control-camera-~~access~~-mqtt |work=The Verge~~}}~~</ref>~~

|Description=A vulnerability in DJI's MQTT message broker exposed live camera feeds and 2D floor plans from over 10,000 devices to unauthorized remote access.

}}

==~~Background~~==

A critical cloud infrastructure flaw exposed the live camera feeds, microphone audio, and 2D floor plans of consumers to unauthorized remote access. DJI's backend servers inadvertently granted wildcard access<ref name="Medium">{{Cite web |author=Medium |date=February 17, 2026 |title=DJI Romo Security Breach: Researcher Remotely Accessed 7,000 Home Cameras, and One Hole Remains |url=https://medium.com/@hayekesteloo/dji-romo-security-breach-researcher-remotely-accessed-7-000-home-cameras-and-one-hole-remains-f6e0114f11cf |work=Medium}}</ref> to over 10,000 total devices, which included approximately 6,700 DJI Romo robot vacuums and DJI Power portable battery stations.<ref name="Overspill">{{Cite web |author=The Overspill |date=February 25, 2026 |title=Robot vacuum world control China start-up |url=https://theoverspill.blog/2026/02/25/robot-vacuum-world-control-china-start-up-2617/ |work=The Overspill}}</ref> The vulnerability was discovered in late January and patched in February 2026.<ref name="RedState">{{Cite web |last=Smith |first=Ben |date=February 24, 2026 |title=Chinese Tech Flaw Exposed Live Feeds From Thousands of American Homes |url=https://redstate.com/ben-smith/2026/02/24/chinese-tech-flaw-exposed-live-feeds-from-thousands-of-american-homes-n2199504 |work=RedState}}</ref>

==~~DJI Romo remote access vulnerability~~==

== Background ==

In 2025, Sammy Azdoufal created an app to control his new DJI Romo robot vacuum with a PS5 controller. As a result of the device utilizing one API key, he unintentionally had remote access to approximately 6,700 DJI Romo vacuums, and over 10,000 total devices. He was able to do this by accessing his data on his own device, without hacking a DJI server or sending malware to other vacuums.<ref name="Verge" />

===DJI~~'s response~~===

DJI launched its first robotic vacuum line, the DJI Romo, in China in August 2025<ref name="DroneDJ">{{Cite web |last=Singh |first=Ishveena |date=October 28, 2025 |title=DJI Romo new launch US |url=https://dronedj.com/2025/10/28/dji-romo-new-launch-us/ |work=DroneDJ}}</ref> and in Europe in October 2025.<ref name="Medium" /> The lineup consists of the Romo P, Romo A, and Romo S models<ref name="DroneDJ" />, priced between €1,299 and €1,899.<ref name="DroneXL">{{Cite web |last=Crumley |first=Bruce |date=October 28, 2025 |title=DJI Romo vacuum Europe |url=https://dronexl.co/2025/10/28/dji-romo-vacuum-europe/ |work=DroneXL}}</ref> The vacuums utilize advanced drone obstacle sensing technology, including dual fisheye vision sensors and solid-state LiDAR, managed through the DJI Home app.<ref name="DroneXL" /> DJI did not officially launch the Romo in the United States.<ref name="DroneXL" /> However, the vulnerability later exposed devices located across the United States, Europe, and China.<ref name="SCWorld">{{Cite web |author=SCWorld |date=February 27, 2026 |title=DJI robot vacuums expose sensitive data due to server vulnerability |url=https://www.scworld.com/brief/dji-robot-vacuums-expose-sensitive-data-due-to-server-vulnerability |work=SCWorld}}</ref>

~~After this vulnerability was told to~~ DJI ~~by Sammy and The Verge~~, ~~remote access to~~ the ~~robot was disabled with that key~~. <ref name="~~Verge~~" />

~~DJI had responded with this statement:~~

== Discovery and scope ==

"DJI ~~identified~~ a ~~vulnerability affecting DJI Home through internal review in late January and initiated remediation immediately~~. ~~The issue was addressed through two updates~~, ~~with an initial patch deployed on February 8 and a follow~~-~~up update completed on February 10. The fix was deployed automatically,~~ and ~~no user action is required~~."<ref name="~~Verge~~" />

In early 2026, an engineer named Sammy Azdoufal attempted to build a custom application to control his DJI Romo vacuum using a PlayStation 5 controller. Azdoufal utilized Anthropic's<ref name="Malwarebytes">{{Cite web |author=Malwarebytes |date=February 17, 2026 |title=Hobby coder accidentally creates vacuum robot army |url=https://www.malwarebytes.com/blog/news/2026/02/hobby-coder-accidentally-creates-vacuum-robot-army |work=Malwarebytes}}</ref> Claude Code AI coding assistant to reverse-engineer the communication protocols between his vacuum and DJI's remote cloud servers.<ref name="Inc">{{Cite web |author=Inc.com |date=February 18, 2026 |title=Huge Robot Vacuum Security Flaw Exposed After 1 Owner Accidentally Controlled Thousands Using an AI Tool |url=https://www.inc.com/leila-sheridan/huge-robot-vacuum-security-flaw-exposed-after-1-owner-accidentally-controlled-thousands-using-an-ai-tool/91304719 |work=Inc.com}}</ref><ref name="BroBible">{{Cite web |author=BroBible |date=February 24, 2026 |title=Man Gains Control Of 7,000 Robot Vacuums Using Claude AI |url=https://brobible.com/culture/article/man-gains-control-7000-robot-vacuums-using-claude-ai/ |work=BroBible}}</ref>

==~~Consumer response~~==

While authenticating his client on DJI's MQTT message broker, Azdoufal used his vacuum's standard 14-digit serial number.<ref name="Malwarebytes" /> He discovered that the broker lacked topic-level access controls.<ref name="Medium" /> This architectural flaw meant his client was treated as their respective owner, allowing him to subscribe to wildcard topics and access the messages of all connected devices in plaintext at the application layer.<ref name="RedState" />

~~{{Ph-I-ConR}}~~

Within nine minutes of connecting, Azdoufal's system cataloged 6,700 DJI devices across 24 different countries and collected over 100,000 messages.<ref name="Overspill" /> The exposed data included live camera feeds, microphone audio, battery status, and generated floor plans.<ref name="Medium" /> The vulnerability also provided access to DJI Power portable battery stations, which run on the same MQTT infrastructure, bringing the total number of exposed devices to over 10,000.<ref name="Overspill" /> The flaw was strictly limited to devices operating on the consumer DJI Home ecosystem.

=== DJI's response ===

DJI stated that it identified the vulnerability affecting DJI Home through an internal review in late January 2026 and initiated remediation immediately.<ref name="BroBible" /> The company deployed two automated patches on February 8 and February 10 to address the wildcard access issue without requiring user action.<ref name="Medium" /><ref name="RedState" />

== Consumer response ==

Consumers mocked DJI's patching timeline after learning about the incident. Users on social media noted that DJI only fixed the issue in two days after facing public embarrassment, suggesting the company had the capability to resolve the flaw much earlier.<ref name="WesternJournal">{{Cite web |author=Western Journal |date=March 27, 2026 |title=Maybe It Wasn't a Bug: Internet Weighs in After Man Discovered He Could Access 7,000 Robotic Vacuums |url=https://www.westernjournal.com/maybe-wasnt-bug-internet-weighs-man-discovered-access-7000-robotic-vacuums/ |work=Western Journal}}</ref>

The breach contributed to consumer fears regarding surveillance by foreign entities. The vulnerability was contextualized alongside ongoing litigation, such as Texas Attorney General Ken Paxton suing smart TV manufacturers over the unauthorized data collection of connected devices.<ref name="DallasExpress">{{Cite web |author=Dallas Express |date=March 4, 2026 |title=7,000 DJI Romo Robot Vacuums Hacked: Live Cameras, Floor Plans Exposed in Massive Security Flaw |url=https://dallasexpress.com/national/7000-dji-romo-robot-vacuums-hacked-live-cameras-floor-plans-exposed-in-massive-security-flaw/ |work=Dallas Express}}</ref>

== References ==

~~==References==~~

[[Category:DJI]]

[[Category:Security Vulnerability]]

@@ Line 1: / Line 1: @@
-{{stub}}
 {{IncidentCargo
 |Company=DJI
-|StartDate=2026-02-22
+|StartDate=2026-01-25
-|EndDate=2026-02-22
+|EndDate=2026-02-10
 |Status=Resolved
-|ProductLine=DJI
+|ProductLine=DJI Romo, DJI Power
-|Product=DJI Romo
+|Product=DJI Romo P, DJI Romo A, DJI Romo S, DJI Power
-|ArticleType=Product
+|ArticleType=Incident
-|Description=DJI vacuum cleaners get accidentally hacked by guy using Claude Code.
+|Type=Security Vulnerability
-}}A vulnerability in [[DJI]] Romo vacuums was discovered in 2025 which would've allowed malicious actors to remotely access and control all of them without hacking into DJI servers.<ref name="Verge">{{Cite web |last=Hollister |first=Sean |date=2026-02-14 |title=The DJI Romo robovac had security so poor, this man remotely accessed thousands of them |url=https://www.theverge.com/tech/879088/dji-romo-hack-vulnerability-remote-control-camera-access-mqtt |work=The Verge}}</ref>
+|Description=A vulnerability in DJI's MQTT message broker exposed live camera feeds and 2D floor plans from over 10,000 devices to unauthorized remote access.
+}}
-==Background==
+A critical cloud infrastructure flaw exposed the live camera feeds, microphone audio, and 2D floor plans of consumers to unauthorized remote access. DJI's backend servers inadvertently granted wildcard access<ref name="Medium">{{Cite web |author=Medium |date=February 17, 2026 |title=DJI Romo Security Breach: Researcher Remotely Accessed 7,000 Home Cameras, and One Hole Remains |url=https://medium.com/@hayekesteloo/dji-romo-security-breach-researcher-remotely-accessed-7-000-home-cameras-and-one-hole-remains-f6e0114f11cf |work=Medium}}</ref> to over 10,000 total devices, which included approximately 6,700 DJI Romo robot vacuums and DJI Power portable battery stations.<ref name="Overspill">{{Cite web |author=The Overspill |date=February 25, 2026 |title=Robot vacuum world control China start-up |url=https://theoverspill.blog/2026/02/25/robot-vacuum-world-control-china-start-up-2617/ |work=The Overspill}}</ref> The vulnerability was discovered in late January and patched in February 2026.<ref name="RedState">{{Cite web |last=Smith |first=Ben |date=February 24, 2026 |title=Chinese Tech Flaw Exposed Live Feeds From Thousands of American Homes |url=https://redstate.com/ben-smith/2026/02/24/chinese-tech-flaw-exposed-live-feeds-from-thousands-of-american-homes-n2199504 |work=RedState}}</ref>
-{{Ph-I-B}}
-==DJI Romo remote access vulnerability==
+== Background ==
-In 2025, Sammy Azdoufal created an app to control his new DJI Romo robot vacuum with a PS5 controller. As a result of the device utilizing one API key, he unintentionally had remote access to approximately 6,700 DJI Romo vacuums, and over 10,000 total devices. He was able to do this by accessing his data on his own device, without hacking a DJI server or sending malware to other vacuums.<ref name="Verge" />
-===DJI's response===
+DJI launched its first robotic vacuum line, the DJI Romo, in China in August 2025<ref name="DroneDJ">{{Cite web |last=Singh |first=Ishveena |date=October 28, 2025 |title=DJI Romo new launch US |url=https://dronedj.com/2025/10/28/dji-romo-new-launch-us/ |work=DroneDJ}}</ref> and in Europe in October 2025.<ref name="Medium" /> The lineup consists of the Romo P, Romo A, and Romo S models<ref name="DroneDJ" />, priced between €1,299 and €1,899.<ref name="DroneXL">{{Cite web |last=Crumley |first=Bruce |date=October 28, 2025 |title=DJI Romo vacuum Europe |url=https://dronexl.co/2025/10/28/dji-romo-vacuum-europe/ |work=DroneXL}}</ref> The vacuums utilize advanced drone obstacle sensing technology, including dual fisheye vision sensors and solid-state LiDAR, managed through the DJI Home app.<ref name="DroneXL" /> DJI did not officially launch the Romo in the United States.<ref name="DroneXL" /> However, the vulnerability later exposed devices located across the United States, Europe, and China.<ref name="SCWorld">{{Cite web |author=SCWorld |date=February 27, 2026 |title=DJI robot vacuums expose sensitive data due to server vulnerability |url=https://www.scworld.com/brief/dji-robot-vacuums-expose-sensitive-data-due-to-server-vulnerability |work=SCWorld}}</ref>
-{{Ph-I-ComR}}
-After this vulnerability was told to DJI by Sammy and The Verge, remote access to the robot was disabled with that key. <ref name="Verge" />
-DJI had responded with this statement:
+== Discovery and scope ==
-"DJI identified a vulnerability affecting DJI Home through internal review in late January and initiated remediation immediately. The issue was addressed through two updates, with an initial patch deployed on February 8 and a follow-up update completed on February 10. The fix was deployed automatically, and no user action is required."<ref name="Verge" /> <!-- Do we have a quote format/template? That would be great -->
+In early 2026, an engineer named Sammy Azdoufal attempted to build a custom application to control his DJI Romo vacuum using a PlayStation 5 controller. Azdoufal utilized Anthropic's<ref name="Malwarebytes">{{Cite web |author=Malwarebytes |date=February 17, 2026 |title=Hobby coder accidentally creates vacuum robot army |url=https://www.malwarebytes.com/blog/news/2026/02/hobby-coder-accidentally-creates-vacuum-robot-army |work=Malwarebytes}}</ref> Claude Code AI coding assistant to reverse-engineer the communication protocols between his vacuum and DJI's remote cloud servers.<ref name="Inc">{{Cite web |author=Inc.com |date=February 18, 2026 |title=Huge Robot Vacuum Security Flaw Exposed After 1 Owner Accidentally Controlled Thousands Using an AI Tool |url=https://www.inc.com/leila-sheridan/huge-robot-vacuum-security-flaw-exposed-after-1-owner-accidentally-controlled-thousands-using-an-ai-tool/91304719 |work=Inc.com}}</ref><ref name="BroBible">{{Cite web |author=BroBible |date=February 24, 2026 |title=Man Gains Control Of 7,000 Robot Vacuums Using Claude AI |url=https://brobible.com/culture/article/man-gains-control-7000-robot-vacuums-using-claude-ai/ |work=BroBible}}</ref>
-==Consumer response==
+While authenticating his client on DJI's MQTT message broker, Azdoufal used his vacuum's standard 14-digit serial number.<ref name="Malwarebytes" /> He discovered that the broker lacked topic-level access controls.<ref name="Medium" /> This architectural flaw meant his client was treated as their respective owner, allowing him to subscribe to wildcard topics and access the messages of all connected devices in plaintext at the application layer.<ref name="RedState" />
-{{Ph-I-ConR}}
+Within nine minutes of connecting, Azdoufal's system cataloged 6,700 DJI devices across 24 different countries and collected over 100,000 messages.<ref name="Overspill" /> The exposed data included live camera feeds, microphone audio, battery status, and generated floor plans.<ref name="Medium" /> The vulnerability also provided access to DJI Power portable battery stations, which run on the same MQTT infrastructure, bringing the total number of exposed devices to over 10,000.<ref name="Overspill" /> The flaw was strictly limited to devices operating on the consumer DJI Home ecosystem.
+=== DJI's response ===
+DJI stated that it identified the vulnerability affecting DJI Home through an internal review in late January 2026 and initiated remediation immediately.<ref name="BroBible" /> The company deployed two automated patches on February 8 and February 10 to address the wildcard access issue without requiring user action.<ref name="Medium" /><ref name="RedState" />
+== Consumer response ==
+Consumers mocked DJI's patching timeline after learning about the incident. Users on social media noted that DJI only fixed the issue in two days after facing public embarrassment, suggesting the company had the capability to resolve the flaw much earlier.<ref name="WesternJournal">{{Cite web |author=Western Journal |date=March 27, 2026 |title=Maybe It Wasn't a Bug: Internet Weighs in After Man Discovered He Could Access 7,000 Robotic Vacuums |url=https://www.westernjournal.com/maybe-wasnt-bug-internet-weighs-man-discovered-access-7000-robotic-vacuums/ |work=Western Journal}}</ref>
+The breach contributed to consumer fears regarding surveillance by foreign entities. The vulnerability was contextualized alongside ongoing litigation, such as Texas Attorney General Ken Paxton suing smart TV manufacturers over the unauthorized data collection of connected devices.<ref name="DallasExpress">{{Cite web |author=Dallas Express |date=March 4, 2026 |title=7,000 DJI Romo Robot Vacuums Hacked: Live Cameras, Floor Plans Exposed in Massive Security Flaw |url=https://dallasexpress.com/national/7000-dji-romo-robot-vacuums-hacked-live-cameras-floor-plans-exposed-in-massive-security-flaw/ |work=Dallas Express}}</ref>
+== References ==
-==References<!-- Needs archived --><!-- Also could use more sources -->==
 {{reflist}}
 [[Category:DJI]]
+[[Category:Security Vulnerability]]