DJI Romo Cloud Authorization Bug Reportedly Exposed Camera, Microphone, and Home-Mapping Data From Nearly 7,000 Robot Vacuums

Sammy Azdoufal was attempting to build a remote-control app for his DJI Romo robot vacuum using an AI coding assistant to help reverse-engineer the device's communication with DJI's cloud servers. The DJI Romo is an autonomous home vacuum that retails for around $2,000 and launched in China last year before expanding to other countries. During his development process, Azdoufal discovered that the same credentials allowing him to control his own device also provided unauthorized access to nearly 7,000 other robot vacuums across 24 countries. This backend security bug exposed live camera feeds, microphone audio, 2D floor plans of homes, and status data from the affected devices. The vulnerability essentially created an army of potential surveillance tools that could have been exploited without owners' knowledge. Azdoufal responsibly disclosed the findings to The Verge, which contacted DJI to report the flaw. DJI stated they identified the vulnerability through internal review in late January and deployed fixes on February 8 and February 10, with automatic updates requiring no user action. The incident highlights broader cybersecurity concerns about internet-connected smart home devices and robots.