'I just want this fixed': DJI Romo owner was able to hack into thousands of robovacs across the world with frightening ease

Still from teaser trailer for DJI Romo robot vacuum — The DJI Romo (Image credit: @JasperEllens)

A DJI Romo owner has exposed a huge security flaw
He gained access to a global network of 7,000 robovacs
DJI says it's busy patching the security vulnerabilities

DJI's first robot vacuum, the DJI Romo, is expanding to more markets after launching last year – but it apparently comes with some rather large security holes that led to one hobbyist hacker gaining control of 7,000 of the machines.

As The Verge reports, DJI Romo owner Sammy Azdoufal was trying to get his PS5 controller to operate his new robovac when he inadvertently took over thousands of the devices. Azdoufal's remote control app, made with the help of Claude Code, slipped through some rather basic security on DJI's servers.

Not only could Azdoufal control any of these robovacs, he could also access the video and audio they were feeding back, and view 2D floor plans of the homes they were in. IP addresses were also accessible, meaning approximate locations of these properties could be calculated, alongside everything else.

It seems that the security token that Azdoufal used to confirm ownership of his own device was good enough for DJI's servers to grant access to thousands of other DJI Romos too. Even DJI Power portable power stations were showing up on the map, reporting back diagnostics and status.

Fixes coming

DJI Romo hack — The hack allowed access to a global network of robovacs (Image credit: @gonzague / X)

The good news is that DJI has patched this problem, confirming to The Verge that the issue is now "resolved" and indeed that "remediation was already underway prior to public disclosure". However, it's very worrying that this was possible in the first place, with so little security put in place against hacks.

New DJI products are in fact banned in the US at the moment, due to concerns about security protocols and the company's connections to the Chinese government – and suspicions around spying and surreptitious data collection aren't going to be allayed by this latest security disaster.

There is actually another security problem with the DJI Romo, which The Verge has deemed too serious to report openly about. DJI says that this second issue will be fixed within weeks, but it's hardly going to inspire confidence or trust in anyone looking to purchase one of the best robovacs right now.

It's yet more evidence that smart-home devices are some of the worst when it comes to security. We've reached out to DJI for an official statement on the reporting done by The Verge, and will report back if we hear anything.

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

TOPICS

Dave is a freelance tech journalist who has been writing about gadgets, apps and the web for more than two decades. Based out of Stockport, England, on TechRadar you'll find him covering news, features and reviews, particularly for phones, tablets and wearables. Working to ensure our breaking news coverage is the best in the business over weekends, David also has bylines at Gizmodo, T3, PopSci and a few other places besides, as well as being many years editing the likes of PC Explorer and The Hardware Handbook.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.