It sounds like sci-fi, but just last month thousands of DJI robot vacuums (or robo-vacs) worldwide became serious surveillance agents. Even worse, this breach was accidental.
Software developer and imaginative gamer, Sammy Azdoufal, decided ‘it would be fun’ to turn his own $2,000 robo-vac into a remote-control vehicle. With assistance from Claude Code, Azdoufal developed an app that wirelessly connected his PS5 gamepad to his robo-vac. In doing this, he unwittingly connected to DJI’s servers across the globe.
Reporting the vulnerability to US Tech Publication, The Verge, Azdoufal claims he wasn’t trying to hack into any foreign devices. As it turns out, little effort was required anyway.
If you find this article has you side-eyeing your vacuum, coffee machine or Wi-Fi router, you might be interested in the confidence and consolation our comprehensive network security will provide.
What Would a Vacuum Cleaner Know?
An uncomfortable amount... Azdoufal’s unintentional reverse engineering of DJI’s protocols meant he could remotely steer over 7,000 vacuums. He could also look and listen through their live camera feeds, and accurately map out floor plans of strangers’ homes, all from the comfort of his couch in Barcelona.
Using the connected robots’ IP addresses, he could even glean approximate addresses. He did all of this without ever receiving a pin or pairing request.
MQTT data packets were providing live updates every few seconds, containing:
- device serial numbers
- which rooms they’re cleaning
- what they’ve seen
- how far they’ve travelled
- when they’re returning to the charger, and
- obstacles they encountered along the way
The Verge witnessed Azdoufal catalogue 6,700 DJI devices across 24 countries within 10 minutes. They even conducted a live test on Deputy Editor of The Verge, Thomas Ricker's DJI Romo (with permission this time). Azdoufal could easily target specific devices using only a 14-digit serial number. He showed how he could see the vacuum was cleaning the living room and had 80% battery life remaining. He even mapped a near-perfect replica of Ricker’s floorplan.
All done without ‘hacking’ DJI servers and no malicious intent. Azdoufal states, “I didn’t infringe any rules, I didn’t bypass, I didn’t crack, brute force, whatever.”
A Clean Sweep
An error in the system made it so that the use of a private token, which is supposed to be unique to each individual device for security purposes and allows you to access your personal device’s data, inadvertently acted as a master-key to thousands of devices. It allowed him to access DJI’s pre-production server, as well as the live servers for the US, China, and the EU.
Chinese drone-maker, DJI, was banned from importing any new drone models into the US in December 2025 due to their “unacceptable risks to the national security of the United States”. Yet their devices designed to map homes, were left vulnerable.
A key feature of these digital housekeepers is on-the-go control via an app. Home-based networks typically rely on cloud-based data servers to enable this functionality. Most users understand that cloud-based devices with built-in surveillance software can pose a tempting target for cybercriminals, but depend on the companies producing these devices to have trusted network safeguards in place.
Following the reports, DJI was swift to restrict access and block audio and video surveillance opportunities. A day later, Azdoufal’s scanner was cut-off from accessing any devices. The Verge provided an update to their reporting on 18/02/2026 that DJI had committed to ‘fix its other Romo robo-vac security hole within weeks’.
Cleaning House
With these devices such as smart doorbells, voice assistants, fitness trackers, and even some fridges observing more of us as we go about our daily lives, the risk of privacy invasion is growing. But these vulnerabilities aren't confined to the home.
These digital ecosystems are vast. Think of the number of devices your business has connected to your wireless network: Modems, speakers, printers, security cameras, access points. These are all potential attack surfaces and require careful security oversight. A network-connected aquarium thermostat in a casino lobby was even hacked in 2021 - if it connects to the internet, it's exposed.
The DJI robo-vac hack reveals how minor technical oversights can escalate into large-scale privacy risks and reminds us of the need for multi-layered endpoint protection and robust permission controls.
Events such as these raise many questions and concerns about the wider security and data practices surrounding household and professional devices alike. Perhaps the most pressing question of all: what does a robot vacuum cleaner even need a microphone for?
