DJI Romo robot vacuum vulnerability
❗Article Status Notice: This Article is a stub
This article is underdeveloped, and needs additional work to meet the wiki's Content Guidelines and be in line with our Mission Statement for comprehensive coverage of consumer protection issues. Learn more ▼
A vulnerability in DJI Romo vacuums was discovered in 2025 which would've allowed malicious actors to remotely access and control all of them without hacking into DJI servers.[1]
Background
DJI Romo remote access vulnerability
In 2025, Sammy Azdoufal created an app to control his new DJI Romo robot vacuum with a PS5 controller. As a result of the device utilizing one API key, he unintentionally had remote access to approximately 6,700 DJI Romo vacuums, and over 10,000 total devices. He was able to do this by accessing his data on his own device, without hacking a DJI server or sending malware to other vacuums.[1]
DJI's response
After this vulnerability was told to DJI by Sammy and The Verge, remote access to the robot was disabled with that key. [1]
DJI had responded with this statement:
"DJI identified a vulnerability affecting DJI Home through internal review in late January and initiated remediation immediately. The issue was addressed through two updates, with an initial patch deployed on February 8 and a follow-up update completed on February 10. The fix was deployed automatically, and no user action is required."[1]
Consumer response
References
- ↑ 1.0 1.1 1.2 1.3 Hollister, Sean (2026-02-14). "The DJI Romo robovac had security so poor, this man remotely accessed thousands of them". The Verge.