- A DJI Romo owner has revealed a huge security flaw
- He gained access to a global network of 7,000 robovacs
- DJI says it is busy fixing the security vulnerabilities
DJI’s first robot vacuum cleaner, the DJI Romo, is expanding into more markets after launching last year β but it apparently comes with some pretty big security holes that led to a hobbyist hacker gaining control of 7,000 of the machines.
As The Verge reports, DJI Romo owner Sammy Azdoufal was trying to get his PS5 controller to operate his new robovac when he accidentally took over thousands of the devices. Azdoufal’s remote control app, made with the help of Claude Code, slipped through some pretty basic security on DJI’s servers.
Not only could Azdoufal control any of these robovacs, he could also access the video and audio they sent back and see 2D floor plans of the homes they were in. IP addresses were also available, meaning approximate locations of these properties could be calculated along with everything else.
It appears that the security token Azdoufal used to verify ownership of his own device was good enough for DJI’s servers to also allow access to thousands of other DJI Romos. Even the DJI Power portable power plants appeared on the map and reported back diagnostics and status.
Fixes coming
The good news is that DJI has fixed this issue, confirming to The Verge that the issue is now “resolved” and indeed that “remediation was already underway prior to the public release”. However, it is very worrying that this was possible in the first place, with so little security in place against hacks.
Indeed, new DJI products are currently banned in the US due to concerns about security protocols and the company’s ties to the Chinese government β ββand suspicions of espionage and covert data collection will not be assuaged by this latest security disaster.
There is actually another security issue with the DJI Romo that The Verge has deemed too serious to report openly. DJI says that this second issue will be resolved within weeks, but it’s unlikely to instill confidence or trust in anyone looking to buy one of the best robovacs right now.
It’s further proof that smart-home devices are some of the worst when it comes to security. We’ve reached out to DJI for an official statement on The Verge’s reporting, and we’ll get back to you if we hear back.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
