DJI Romo robot vacuum vulnerability
❗This article is a stub. You can help by expanding it.
#appeals channel in either Zulip or Discord to request removal.An article may be flagged as a stub when it is missing major elements needed to make it useful to a reader. You can help by adding missing sections, verifiable sources, relevant company policies and communications, etc. to make the article more complete.
A vulnerability in DJI Romo vacuums was discovered in 2025 which would've allowed malicious actors to remotely access and control all of them without hacking into DJI servers.[1]
Background
DJI Romo remote access vulnerability
In 2025, Sammy Azdoufal created an app to control his new DJI Romo robot vacuum with a PS5 controller. As a result of the device utilizing one API key, he unintentionally had remote access to approximately 6,700 DJI Romo vacuums, and over 10,000 total devices. He was able to do this by accessing his data on his own device, without hacking a DJI server or sending malware to other vacuums.[1]
DJI's response
After this vulnerability was told to DJI by Sammy and The Verge, remote access to the robot was disabled with that key. [1]
DJI had responded with this statement:
"DJI identified a vulnerability affecting DJI Home through internal review in late January and initiated remediation immediately. The issue was addressed through two updates, with an initial patch deployed on February 8 and a follow-up update completed on February 10. The fix was deployed automatically, and no user action is required."[1]
Consumer response
References
- ↑ 1.0 1.1 1.2 1.3 Hollister, Sean (2026-02-14). "The DJI Romo robovac had security so poor, this man remotely accessed thousands of them". The Verge.