- One user accidentally gained access to thousands of DJI Romo vacuums worldwide
- Sensitive data, including floor plans and live video feeds, was exposed online
- Encryption of communications was intact, yet server storage remained completely unprotected
A hobbyist discovered that his DJI Romo vacuum unintentionally allowed access to thousands of other devices.
Sammy Azdoufal, an AI strategist, used reverse engineering to understand how the Romo communicated with DJI servers. He did not hack into DJI systems or bypass encryption, and he did not use brute force or other illicit methods.
He was attempting to control his own robot using a PlayStation controller when the protocol returned private tokens for additional vacuums, including more than 6,700 devices located across multiple regions, including the United States, Europe, and China.
Discovery and technical details
The core problem was that device data was stored in plain text on the server, which allowed anyone who gained access to read floor plans, live video feeds, and microphone input.
The encryption protecting communications was not flawed, yet the data storage exposed sensitive information to anyone with access.
Azdoufal immediately reported the vulnerability to DJI, and the company issued updates to address several problems without requiring user intervention.
Some vulnerabilities remain, including the ability to stream video without a security PIN and another undisclosed issue because of its severity.
These remaining problems indicate that server-side data storage and access control still need attention.
Unfortunately, this is not an isolated case — an engineer previously discovered that his iLife A11 smart vacuum continuously sent logs and telemetry back to the manufacturer.
When he blocked reporting through his network, the company remotely disabled the device.
Using technical adjustments, he restored local functionality, proving that cloud connectivity is not strictly necessary for proper device operation.
Many consumers purchase smart devices for convenience, but incidents like these show potential risks when ordinary users can accidentally access private data.
Live video, floor plans, and other information could be exposed if attackers exploit similar vulnerabilities.
Using firewall software, careful monitoring, and endpoint protection for network activity can reduce exposure, and broader use of AI tools could also help identify unusual patterns, although this does not guarantee detection.
Users should be aware that even minor misconfigurations or design flaws can create major privacy risks.
The case of the DJI Romo vacuums indicates that IoT devices may prioritize convenience over strong data protection - as while this discovery was accidental and responsibly reported, the underlying design leaves sensitive personal information vulnerable.
This raises valid concerns about both unintended access and potential targeted attacks in the future.
Via Tom's Hardware
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.