- A user accidentally gained access to thousands of DJI Romo vacuum cleaners around the world
- Sensitive data, including floor plans and live video feeds, was exposed online
- Communications encryption was intact, but server storage remained completely unprotected.
A hobbyist discovered that his DJI Romo vacuum unintentionally allowed access to thousands of other devices.
Sammy Azdoufal, an AI strategist, used reverse engineering to understand how the Romo communicated with DJI servers. He did not hack DJI systems or bypass encryption, and he did not use brute force or other illicit methods.
He was attempting to control his own robot using a PlayStation controller when the protocol returned him private tokens for additional vacuums, including more than 6,700 devices in multiple regions, including the United States, Europe, and China.
Discovery and technical details
The main problem was that the device data was stored in plain text on the server, allowing anyone with access to read floor plans, live video feeds, and microphone input.
The encryption protecting communications was not faulty, but the data storage exposed sensitive information to anyone with access to it.
Azdoufal immediately reported the vulnerability to DJI and the company released updates to address several issues without requiring user intervention.
Some vulnerabilities remain, including the ability to stream videos without a security PIN and another issue undisclosed due to its severity.
These remaining issues indicate that server-side data storage and access control still require attention.
Unfortunately, this isn’t an isolated case: an engineer has already discovered that his iLife A11 smart vacuum cleaner was constantly sending logs and telemetry data back to the manufacturer.
When he blocked reporting through his network, the company disabled the device remotely.
Through technical adjustments, it restored local functionality, proving that cloud connectivity is not strictly necessary for the device to function properly.
Many consumers buy smart devices for convenience, but incidents like these present potential risks when ordinary users can accidentally access private data.
Live videos, floor plans, and other information could be exposed if attackers exploit similar vulnerabilities.
Use of firewall software, careful monitoring, and endpoint protection for network activity can reduce exposure, and broader use of AI tools could also help identify unusual patterns, although this does not guarantee detection.
Users should be aware that even minor configuration errors or design flaws can create major privacy risks.
The case of DJI Romo vacuum cleaners indicates that IoT devices may prioritize convenience over strong data protection – because even if this discovery was accidental and responsibly reported, the underlying design leaves sensitive personal information vulnerable.
This raises legitimate concerns about both unintended access and potential targeted attacks in the future.
Via Tom’s material
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
