In what might be the most spectacular own-goal in recent IoT security, a software engineer accidentally gained god-mode access to roughly 7,000 DJI robot vacuums across 24 countries. The researcher, Sammy Azdoufal, wasn’t trying to start a robot uprising; he just wanted to drive his new, absurdly expensive DJI Romo vacuum with a PlayStation 5 controller because, well, why not?
To achieve this modern-day dream, Azdoufal used an AI coding assistant to help reverse-engineer the robot’s communication protocols. After successfully extracting his own device’s authentication token, he connected to DJI’s servers. Instead of hearing back from his lone floor-scrubbing minion, an army of approximately 7,000 robots answered the call. The flaw gave him access to live camera and microphone feeds, real-time 2D floor plans of users’ homes, and device status from thousands of unsuspecting owners.
The root of the problem was a comically simple, yet catastrophic, security oversight. DJI’s backend servers authenticated the user’s token but apparently failed to perform the crucial next step: verifying that the user actually owned the specific device they were trying to access. Any valid key could unlock any door on the planet. Azdoufal noted he “didn’t infringe any rules, I didn’t bypass, I didn’t crack, brute force, whatever,” highlighting that he simply walked through a wide-open digital door.
Why is this important?
This incident is a textbook case of the perils of modern IoT device security, where products with intimate access to our homes—complete with cameras and microphones—are sometimes secured with the digital equivalent of a screen door lock. While the potential for a massive, global privacy breach was enormous, Azdoufal did the responsible thing and reported the vulnerability.
To its credit, DJI acted with impressive speed. After being notified, the company reportedly patched the critical vulnerability with a server-side fix within two days, requiring no action from users. While questions remain about how such a fundamental flaw made it to production, the swift response prevented a potential disaster and stands as a lesson for other IoT manufacturers: lock your doors, and maybe check to make sure the keys don’t work on the entire neighborhood.
