Facepalm: Controlling robot vacuums and other smart devices from outside a local Wi-Fi network almost always means routing commands through the cloud. That convenience comes with an obvious tradeoff: it creates a tempting attack surface. In the case of DJI's latest robot vacuum, one user didn't need to breach the company's servers at all to expose just how risky that setup can be.
An AI strategist recently demonstrated to The Verge how he accidentally gained sweeping control over thousands of DJI robot vacuums and other connected devices scattered across the globe. A remote-control app he had vibe-coded gave him visibility into strangers' homes, revealed their locations, and allowed him to command their vacuums as if they were his own.
The experiment began innocently enough. After buying DJI's recently released Romo robot vacuum, Sammy Azdoufal, head of AI at a vacation property management company, wondered whether he could drive it with a PlayStation 5 controller. Since DJI already offers remote control through its smartphone app, the idea was mostly playful. What it uncovered was not.
When the app Azdoufal wrote using Claude Code connected to DJI's cloud servers, it didn't just authenticate his own vacuum. Instead, it granted him access to roughly 6,700 devices across 24 countries. The same backend also controlled several thousand portable power stations, pushing the total number of exposed devices past 10,000.
The episode quickly took on a surreal, almost meme-like quality online, as observers marveled at how casually the access had been achieved.
This story is actually insane:
– Mark Gadala-Maria (@markgadala) February 23, 2026
* dude drops $2000 on a DJI robot vacuum like a lunatic
* refuses to use the normal app like a peasant
* Sammy Azdoufal fires up Claude to crack the API so he can drive it with an xbox controller
* Claude delivers the goods
* pulls an auth... pic.twitter.com/VxJLXuHTTw
With that access, Azdoufal could steer the robots, see through their onboard cameras, and pull up sensitive metadata, including serial numbers and IP addresses. He could view detailed floor plans generated by the vacuums, check battery levels, and retrieve other operational data. By entering a 14-digit code, he was even able to bypass the PIN on any device.
DJI closed the security loophole shortly after Azdoufal alerted the company. In a follow-up statement, DJI said it had already been working to address a backend permission-validation vulnerability at the time of the incident, but that the fix had not yet been deployed universally.
In a letter, DJI downplayed the scope of the exposure, claiming that only a very small number of users had exploited the flaw and that nearly all of them were security researchers. While the company says its devices rely on encrypted communications, Azdoufal has since identified additional weaknesses – one of them so severe that The Verge chose not to publish details.
The incident raises precisely the kinds of concerns that led the FCC to ban foreign-made drones from entering the US, which is why the Romo remains unavailable in the country.
It also highlights how, with the proper credentials, smart home device makers (and potentially their employees) can have a frightening level of access into customers' private lives. Although DJI says its data is stored on US-based servers, Azdoufal's experience suggests that, with the right credentials, those systems can be accessed from virtually anywhere, just as he did from Spain.