A developer accidentally gained control of more than 10,000 DJI devices

Daniel Sims

Posts: 2,472   +74
Staff
Facepalm: Controlling robot vacuums and other smart devices from outside a local Wi-Fi network almost always means routing commands through the cloud. That convenience comes with an obvious tradeoff: it creates a tempting attack surface. In the case of DJI's latest robot vacuum, one user didn't need to breach the company's servers at all to expose just how risky that setup can be.

An AI strategist recently demonstrated to The Verge how he accidentally gained sweeping control over thousands of DJI robot vacuums and other connected devices scattered across the globe. A remote-control app he had vibe-coded gave him visibility into strangers' homes, revealed their locations, and allowed him to command their vacuums as if they were his own.

The experiment began innocently enough. After buying DJI's recently released Romo robot vacuum, Sammy Azdoufal, head of AI at a vacation property management company, wondered whether he could drive it with a PlayStation 5 controller. Since DJI already offers remote control through its smartphone app, the idea was mostly playful. What it uncovered was not.

When the app Azdoufal wrote using Claude Code connected to DJI's cloud servers, it didn't just authenticate his own vacuum. Instead, it granted him access to roughly 6,700 devices across 24 countries. The same backend also controlled several thousand portable power stations, pushing the total number of exposed devices past 10,000.

The episode quickly took on a surreal, almost meme-like quality online, as observers marveled at how casually the access had been achieved.

With that access, Azdoufal could steer the robots, see through their onboard cameras, and pull up sensitive metadata, including serial numbers and IP addresses. He could view detailed floor plans generated by the vacuums, check battery levels, and retrieve other operational data. By entering a 14-digit code, he was even able to bypass the PIN on any device.

DJI closed the security loophole shortly after Azdoufal alerted the company. In a follow-up statement, DJI said it had already been working to address a backend permission-validation vulnerability at the time of the incident, but that the fix had not yet been deployed universally.

In a letter, DJI downplayed the scope of the exposure, claiming that only a very small number of users had exploited the flaw and that nearly all of them were security researchers. While the company says its devices rely on encrypted communications, Azdoufal has since identified additional weaknesses – one of them so severe that The Verge chose not to publish details.

The incident raises precisely the kinds of concerns that led the FCC to ban foreign-made drones from entering the US, which is why the Romo remains unavailable in the country.

It also highlights how, with the proper credentials, smart home device makers (and potentially their employees) can have a frightening level of access into customers' private lives. Although DJI says its data is stored on US-based servers, Azdoufal's experience suggests that, with the right credentials, those systems can be accessed from virtually anywhere, just as he did from Spain.

Permalink to story:

 
This guy accidentally revealed what was deliberately built-in in all these things.
Anything with network capabilities and originating from China should be banned, and existing units either destroyed or updated.
No doubt. The warnings about Chinese spy network are not a theory, it is a reality.
 
The device doesn't have to be from China to have this kind of flaw. Quite frankly, any smart device can do the trick if it's using any kind of server not hosted in your home. Bottom line: stick to simple machines, no AI and no remote controls that can be used outside your home. I would imagine also some devices that let you use your phone or other device to remotely spy into a camera from another location "for security purposes" can be dangerous as well.
 
Back