Report that when trying to operate a DJI robot vacuum cleaner with a PS5 controller, data from thousands of units was illegally accessed



China-based

DJI is known as the world's largest drone manufacturer, and in February 2026 it released its first robot vacuum cleaner, the Romo . Following the release of the Romo, it was discovered that thousands of units were accessible from outside the world. The person who accessed the device revealed that they simply wanted to operate the robot vacuum cleaner with a PS5 controller.

The DJI Romo robovac had security so poor, this man remotely accessed thousands of them | The Verge
https://www.theverge.com/tech/879088/dji-romo-hack-vulnerability-remote-control-camera-access-mqtt



DJI robot vacuum cameras accidentally hacked in security nightmare | Mashable
https://mashable.com/article/dji-romo-robot-vacuums-hacked

Samy Azdufal, curious to try remotely controlling the robot vacuum cleaner Romo with a PS5 controller, created a custom app for it. Romo can usually be controlled and live camera footage viewed from a dedicated smartphone app, but Azdufal analyzed the communication protocol between Romo and the cloud server and built a way to send commands from a custom client, allowing him to operate it with a PS5 controller and monitor it from a laptop.

As a result, Azdufal achieved his goal of freely controlling Romo with a PS5 controller. He also managed to view information about where the robot was cleaning in the house, how much battery power was remaining, and even footage from Romo's built-in camera via the Internet.



However, during the experiment, Azdufal connected to DJI's cloud server, and not only did he receive data from his Romo, but from over 7,000 other Romos in 24 countries. Azdufal was able to remotely control all of these Romos, as well as access live video and audio, generated floor plans, and even approximate locations based on IP addresses. 'We didn't use any hacking or brute force attacks ,' Azdufal said. 'We were able to obtain data from thousands of people without even hacking into DJI's servers.'

The issue is believed to have been caused by cloud-side access control using MQTT , a lightweight communication protocol widely used in IoT devices. In a statement to The Verge, which reported on the incident, DJI spokesperson Daisy Cong explained, 'This issue was resolved through two updates. The fix was applied automatically and no user action was required. The vulnerability was related to access control affecting MQTT-based communication on cloud servers, which impacts communication between devices and servers.'

Another notable feature of this incident is that Azdufal used Anthropic's AI 'Claude' to analyze communications between Romo and the cloud and control its operation via the PS5 controller. AI coding, which facilitates communication analysis and client implementation, is believed to have led to widespread access attempts beyond the user's intentions, leading to the discovery of the Romo vulnerability. Tech Times , a technology publication, noted, 'This incident highlights the unforeseen risks of AI-driven coding and the growing complexity of smart home networks. Even well-intentioned experiments can uncover system-wide flaws, demonstrating that home robots are not simply convenient devices but part of a vast digital ecosystem requiring close security monitoring.'

Related Posts:

in Hardware,   Security, Posted by log1e_dh