- A user accidentally gained access to thousands of DJI Romo vacuum cleaners worldwide
- Sensitive data, including floor plans and live video feeds, was exposed online
- Encryption of communications was intact, but server storage remained completely unprotected
A hobbyist discovered that his DJI Romo vacuum was inadvertently giving access to thousands of other devices.
Sammy Azdoufal, an AI strategist, used reverse engineering to understand how Romo communicated with DJI servers. He didn’t hack into DJI systems or bypass encryption, and he didn’t use brute force or other illegal methods.
He attempted to control his own robot using a PlayStation controller as the protocol returned private tokens to additional vacuums, including more than 6,700 units located across multiple regions, including the US, Europe and China.
Discovery and technical details
The core problem was that device data was stored in plain text on the server, allowing anyone with access to read floor plans, live video feeds and microphone inputs.
The encryption protecting the communications was not flawed, but the data storage exposed sensitive information to anyone with access.
Azdoufal immediately reported the vulnerability to DJI, and the company issued updates to fix several issues without requiring user intervention.
Some vulnerabilities remain, including the ability to stream video without a security PIN and another undisclosed issue due to its severity.
These remaining issues indicate that server-side data storage and access control still require attention.
Unfortunately, this is not an isolated case – an engineer previously discovered that his iLife A11 smart vacuum was continuously sending logs and telemetry back to the manufacturer.
When he blocked reporting through his network, the company remotely disabled the device.
Using technical tweaks, he restored local functionality, proving that cloud connectivity is not strictly necessary for proper device operation.
Many consumers buy smart devices for convenience, but incidents like these show potential risks when ordinary users can accidentally access private data.
Live video, floor plans and other information could be exposed if attackers exploit similar vulnerabilities.
Using firewall software, careful monitoring and endpoint protection for network activity can reduce exposure, and wider use of AI tools can also help identify unusual patterns, although this does not guarantee detection.
Users should be aware that even minor misconfigurations or design flaws can create major privacy risks.
The case of the DJI Romo vacuum cleaners indicates that IoT devices may prioritize convenience over strong data protection – as this discovery was accidental and responsibly reported, the underlying design leaves sensitive personal information vulnerable.
This raises valid concerns about both accidental access and potential targeted attacks in the future.
Via Tom’s hardware
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
