All he wanted was to move his robot vacuum cleaner around with a PlayStation controller. But programmer Sammy Azdoufal claims he unwittingly gained remote access to 7,000 other devices.
His experience has drawn attention to the potential security risks of smart home gadgets, with Chinese manufacturer DJI saying it had fixed a “vulnerability” detected in its software.
The French tech worker, based in Barcelona, told AFP on a phone call this week that he had tried to customise his flashy DJI Romo vacuum cleaner out of curiosity.
“They have an app linked to the vacuum. So I tried to understand what the app was sending to the robot when I’m moving the robot,” Mr Azdoufal said.
After linking up the gaming controller, he decided he wanted to make the vacuum cleaner sound like it was crying when low on battery.
“Sometimes my brain is weird,” the 32-year-old laughed.
Mr Azdoufal tinkered further to find its battery status – but was confused and “a little bit scared” when he began to also see the data of thousands of other vacuum cleaners.
“You can have a full map of all the rooms, you can have access to the camera, microphone”, as well as a rough location for each device, he claimed.
Having alerted a friend to his discovery, “we freak out together and I start to mail DJI” about the apparent security breach, recounted Mr Azdoufal, head of artificial intelligence for a holiday rental platform.
The programmer, who used to work in cybersecurity, said his wife has since covered up the camera on their vacuum cleaner.
‘Super fancy’
With no immediate reply from the company, Mr Azdoufal contacted specialist tech media outlet The Verge, who gave him the 14-digit serial number of a DJI Romo it had recently reviewed.
The Verge reported that the Frenchman was able to generate an accurate floor plan of its reporter’s home and see that the robot was in use.
He could not control the vacuum cleaner, however and could not see through its camera or listen through its microphone, the outlet said, adding that DJI had allegedly restricted access to those after being alerted to the problem.
The Shenzhen-based DJI, known for its drones and other high-tech devices, calls the Romo series – whose top models are priced around US$2,000 (S$2,500) – its “flagship robot vacuum with advanced sensing”.
Mr Azdoufal said he bought the vacuum in December 2025 and started using it in January, having spent that much because it is “super fancy” and “I’m stupid”.
DJI told AFP that it had “identified a vulnerability affecting DJI Home through internal review in late January and initiated remediation immediately”.
The issue was addressed through two updates in early February with “no user action required”, it said.
“DJI maintains strong standards for data privacy and security and has established processes for identifying and addressing potential vulnerabilities,” it said, adding that it uses “industry-standard encryption”.
“We take reports from the security community seriously and investigate them promptly. We are working to further strengthen the PIN code verification mechanism and are reviewing the researcher’s other claims,” it said.
“Our backend systems are protected by layered safeguards, including strict access controls, and sensitive user data is protected, including through encryption where appropriate.”
Add Comment