Jump to content

DJI Romo robot vacuum vulnerability: Difference between revisions

From Consumer Rights Wiki
← Older editNewer edit →
VisualWikitext
PixelRunner (talk | contribs)
confirmed
129 edits
m PixelRunner moved page DJI Robot Vacuum Hack to DJI Romo robot vacuum vulnerability: Misspelled title: Not in sentence case: more descriptive
PixelRunner (talk | contribs)
confirmed
129 edits
Add more information
Line 9: Line 9:
|ArticleType=Product
|ArticleType=Product
|Description=DJI vacuum cleaners get accidentally hacked by guy using Claude Code.
|Description=DJI vacuum cleaners get accidentally hacked by guy using Claude Code.
}}
}}A vulnerability in DJI Romo vacuums was discovered in 2025 which would've allowed malicious actors to remotely access and control all of them without hacking into DJI servers.<ref name="Verge">{{Cite web |last=Hollister |first=Sean |date=2026-02-14 |title=The DJI Romo robovac had security so poor, this man remotely accessed thousands of them |url=https://www.theverge.com/tech/879088/dji-romo-hack-vulnerability-remote-control-camera-access-mqtt |work=The Verge}}</ref>
{{Ph-I-Int}}
 
==Background==
==Background==
{{Ph-I-B}}
{{Ph-I-B}}


==[Incident]==
==DJI Romo remote access vulnerability==
{{Ph-I-I}}
In 2025, Sammy Azdoufal created an app to control his new DJI Romo robot vacuum with a PS5 controller. As a result of the device utilizing one API key, he unintentionally had remote access to approximately 6,700 DJI Romo vacuums, and over 10,000 total devices. He was able to do this by accessing his data on his own device, without hacking a DJI server or sending malware to other vacuums.<ref name="Verge" />
In 2025, Sammy Azdoufal created an app to control his new DJI robot vacuum. As a result of the device utilizing one API key, he had access to 7 thousand of the same vacuum.<ref name="Verge">{{Cite web|url=https://www.theverge.com/tech/879088/dji-romo-hack-vulnerability-remote-control-camera-access-mqtt|title=The DJI Romo robovac had security so poor, this man remotely accessed thousands of them|first=Sean|last=Hollister|date=2026-02-14|work=The Verge}}</ref>


===[Company]'s response===
===DJI's response===
{{Ph-I-ComR}}
{{Ph-I-ComR}}
After this vulnerability was told to DJI by Sammy and The Verge, remote access to the robot was disabled with that key.<ref name="Verge" />
After this vulnerability was told to DJI by Sammy and The Verge, remote access to the robot was disabled with that key. <ref name="Verge" />
 


==Lawsuit==
DJI had responded with this statement:
{{Ph-I-L}}


"DJI identified a vulnerability affecting DJI Home through internal review in late January and initiated remediation immediately. The issue was addressed through two updates, with an initial patch deployed on February 8 and a follow-up update completed on February 10. The fix was deployed automatically, and no user action is required."<ref name="Verge" /> <!-- Do we have a quote format/template? That would be great -->


==Consumer response==
==Consumer response==
Line 31: Line 29:




==References==
==References<!-- Needs archived --><!-- Also could use more sources -->==
{{reflist}}
{{reflist}}
[[Category:DJI]]
[[Category:DJI]]

Revision as of 13:38, 3 April 2026

Article Status Notice: This Article is a stub

This article is underdeveloped, and needs additional work to meet the wiki's Content Guidelines and be in line with our Mission Statement for comprehensive coverage of consumer protection issues. Learn more ▼

A vulnerability in DJI Romo vacuums was discovered in 2025 which would've allowed malicious actors to remotely access and control all of them without hacking into DJI servers.[1]

Background

Information about the product/service history to provide the necessary context surrounding the incident

Add your text below this box. Once this section is complete, delete this box by clicking on it and pressing backspace.


DJI Romo remote access vulnerability

In 2025, Sammy Azdoufal created an app to control his new DJI Romo robot vacuum with a PS5 controller. As a result of the device utilizing one API key, he unintentionally had remote access to approximately 6,700 DJI Romo vacuums, and over 10,000 total devices. He was able to do this by accessing his data on his own device, without hacking a DJI server or sending malware to other vacuums.[1]

DJI's response

If applicable, add the proposed solution to the issues by the company.

Add your text below this box. Once this section is complete, delete this box by clicking on it and pressing backspace.


After this vulnerability was told to DJI by Sammy and The Verge, remote access to the robot was disabled with that key. [1]

DJI had responded with this statement:

"DJI identified a vulnerability affecting DJI Home through internal review in late January and initiated remediation immediately. The issue was addressed through two updates, with an initial patch deployed on February 8 and a follow-up update completed on February 10. The fix was deployed automatically, and no user action is required."[1]

Consumer response

Summary and key issues of prevailing sentiment from the consumers and commentators that can be documented via articles, emails to support, reviews and forum posts.

Add your text below this box. Once this section is complete, delete this box by clicking on it and pressing backspace.



References

  1. 1.0 1.1 1.2 1.3 Hollister, Sean (2026-02-14). "The DJI Romo robovac had security so poor, this man remotely accessed thousands of them". The Verge.
Retrieved from "https://consumerrights.wiki/index.php?title=DJI_Romo_robot_vacuum_vulnerability&oldid=49458"