Man Accesses Camera Feed of 7,000 Robot Vacuums By Accident

A software engineer's earnest effort to steer his new DJI robot vacuum with a video game controller inadvertently granted him a sneak peek into thousands of people's homes.

While building his own remote-control app, Sammy Azdoufal reportedly used an AI coding assistant to help reverse-engineer how the robot communicated with DJI's remote cloud servers. But he soon discovered that the same credentials that allowed him to see and control his own device also provided access to live camera feeds, microphone audio, maps, and status data from nearly 7,000 other vacuums across 24 countries.

The backend security bug effectively exposed an army of internet-connected robots that, in the wrong hands, could have turned into surveillance tools. All without their owners ever knowing.

Luckily, Azdoufal chose not to exploit that. Instead, he shared his findings with The Verge, which quickly contacted DJI to report the flaw. DJI says the issue has been "resolved," but the dramatic episode underscores warnings from cybersecurity experts who have long warned that internet-connected robots and other smart home devices present attractive targets for hackers.

How This Happened

The robot in question is the DJI Romo, an autonomous home vacuum that first launched in China last year and is currently expanding to other countries. It retails for around $2,000 and is roughly the size of a large terrier or a small fridge when docked at its base station.

For the Romo, or really any modern autonomous vacuum, to function it needs to constantly collect visual data from the building it's operating in. It also needs to understand specific details about what makes, say, a kitchen different from a bedroom. Some of that sensor data is stored remotely on DJI's servers rather than on the device itself.

For Azdoufal's DIY controller idea to work, he would need a way for his app to communicate with DJI's servers and extract a security token that proves he's the owner of the robot.

Rather than just verifying a single token, the servers granted access for a small army of robots. This essentially treated him as their respective owner. That slip-up meant Azdoufal could tap into their real-time camera feeds and activate their microphones. He also claims he could compile 2D floor plans of the homes the robots were operating in. A quick look at the robots' IP addresses also revealed their approximate locations.

None of this, Azdoufal insists, amounts to "hacking" on his part. He simply stumbled upon a major security issue.

DJI's Response

"DJI identified a vulnerability affecting DJI Home through internal review in late January and initiated remediation immediately," DJI told Popular Science. "The issue was addressed through two updates, with an initial patch deployed on February 8 and a follow-up update completed on February 10. The fix was deployed automatically, and no user action is required."

The company went on to say it plans to "continue to implement additional security enhancements" but did not specify what those may entail.

The Broader Privacy Problem

The DJI security concerns come amid a period of growing unease generally about the surveillance capabilities of smart home technology. Earlier this month, Ring camera owners flooded social media after a controversial advertisement for the company's pet-finding "search party" feature was interpreted by some as a Trojan horse for broader monitoring.

Around the same time, reports that Google was able to retrieve video footage from a Nest Doorbell camera to assist in an abduction investigation—despite earlier indications that the footage had been deleted—reignited debate over how much control consumers truly have over their sensitive data.

The irony of many robot vacuums and other smart home devices is that, as a category, they have a long history of questionable security practices. This is despite the fact that they operate in some of our most private spaces.

All signs suggest that the average person will soon welcome more cameras and microphones into their homes, not fewer. As of 2020, market research firm Parks Associates estimates that 54 million U.S. households had at least one smart home device installed. Other surveys show that those who already have one often want more.

What's Coming Next

The specific types of devices entering homes are also becoming more sophisticated. Though still early, Tesla, Figure, and other companies are racing to build human-like autonomous robots that can live in a home and perform chores. A company called 1X is already retailing one of these humanoids, claiming it can clean dishes and crack walnuts—albeit often with some help from a human.

Eventually though, for any of these at-home robot servants to function effectively, they will need unprecedented access to the intimate details of their owners' homes. For a stalker or hacker, that represents a potential goldmine.

Curious for more stories that keep you informed and entertained? From the latest headlines to everyday insights, YourLifeBuzz has more to explore. Dive into what’s next.