February has been a tumultuous month for DJI. The Chinese tech giant, best known for making drones, stepped up its fight against the US drone ban by suing the FCC. Then the internet exploded with a completely different DJI device: the Romo robot vacuum.
Thousands of Romo vacuums and their live cameras around the world have been hacked – and not by an evil mastermind sitting in a room surrounded by screens, but by a man trying to get his PS5 controller to control a robot vacuum.
Sammy Azdoufal told The Verge that he wasn’t I’m trying hacking someone else’s robot vacuum. It was just a fun project for the software engineer, who warned DJI about its massive verification slippage – while sharing how little work it took to access the ins and outs of Romo’s owner’s home.
Firefox is adding an AI kill switch for users who are sick and tired of AI-everything
And yes, AI was involved. Azdoufal specializes in AI techniques; he got coding help from AI assistant Claude to change the communication protocol between the DJI servers and his Romo.
After creating a custom app for his PlayStation setup, Azdoufal discovered he was watching way in addition to the data of his robot vacuum. You’ve accidentally unlocked the data of thousands of DJI robot owners around the world.
The information revealed wasn’t just 3D floor plans for homes, which would be bad enough. But the device’s live camera feed and microphone audio were also accessible.
Mashable Trend Report
As of Feb. 24, DJI released the problem by limiting access to this verification opportunity, Azdoufal found. Meanwhile, Romo himself appears to have disappeared from DJI’s online store, as of Feb. 26.
A new fear is unlocked: Your robot vacuums like a spy
Even if this problem is fixed, the idea that someone can test you on your robot space does not boost confidence in the whole stage. What if another camera-towing robot vacuum brand has the same security problem that can’t be found – and what if the person who finds it isn’t as good-hearted as Azdoufal?
We’ve had glimpses of this kind of vulnerability in the past. In 2024, many Ecovacs Deebot X2 robot vacuums across the US were hacked and made to scream at the owners. Some smart home devices with cameras have faced security breaches, from baby monitors to smart doorbells.
But a robot vacuum is the only type of appliance that is always around your home. That gives this vulnerability a distinct sense of angst, perhaps enough to warrant an episode of a found-footage horror film.
And of course, there are even more opportunities for bad actors when AI accesses personal information.
Microsoft claims that Copilot was extracting private emails without permission
I test robotic vacuums for a living, too indeed they don’t want to be in doubt about their use of the camera. The live streaming camera is a feature of the robot vacuum that is incredibly comforting for pet parents who worry about leaving their pets at home alone.
All the robovacs I tested announced audibly when in remote viewing mode. But not all robot vacuums provide that courtesy notice (the DJI Romo, for one, does not).
In any case, if the hacker managed to get to the point where he could control the vacuum camera, how hard would it be for him to turn off the warning? While the problem still exists, it may be wise to disable your vacuum chamber, at least if it’s not working, with the most low-tech hack of all: putting tape over it.
Articles
Cybersecurity Robot Vacuums
