Why a Robot Vacuum Became a Global Privacy Nightmare
Sammy Azdoufal didn’t set out to hack the world’s robot vacuums. He simply wanted to steer his DJI Romo with a PS5 gamepad, but his home‑grown app opened a backdoor to thousands of devices. Within minutes his laptop logged over 100 000 MQTT messages from 6 700 Romo units in 24 countries, each broadcasting serial numbers, battery levels, room maps and live video streams.
The technical flaw: an “MQTT permission” gap
Romo robots talk to DJI’s cloud via MQTT. Azdoufal extracted his own private token—the credential that tells DJI’s servers you own a device. Because the backend lacked proper topic‑level access controls, any authenticated client could subscribe to wildcard topics (e.g., #) and read every message in cleartext. TLS encrypted the transport pipe, but not the data once inside the broker.
Azdoufal could:
- Control any Romo remotely (even without the PIN code).
- View live camera feeds from strangers’ homes.
- Generate accurate 2‑D floor plans simply by entering a 14‑digit serial number.
DJI’s patch – a two‑step rollout
DJI’s spokesperson Daisy Kong later confirmed a “backend permission validation issue.” The company issued two updates: an initial patch on Feb 8 and a follow‑up on Feb 10 that re‑enabled and restarted remaining service nodes. DJI says the vulnerability was “theoretical” and that “actual occurrences were extremely rare,” but the live demo proved otherwise.
Beyond Romo: a pattern of smart‑home oversights
Romo isn’t an isolated case. Recent incidents include:
- 2024: Ecovacs vacuums hijacked to chase pets and shout slurs.
- 2025: South Korean agencies flagged camera‑feed leaks in Dreame’s X50 Ultra and other brands.
- Power stations: DJI’s portable Power‑2000 units use the same MQTT system, exposing even more devices.
These examples illustrate a broader industry trend: cloud‑first IoT designs without robust access controls.
What the Future Holds for IoT Security
1. Mandatory topic‑level ACLs for MQTT brokers
Manufacturers will need to enforce strict ACLs that prevent wildcard subscriptions from exposing unrelated device data. Expect firmware updates that bind tokens to specific device IDs and regions.
2. Transparent bug‑bounty pipelines
Companies with active bounty programs, like DJI, will be pressured to disclose findings promptly and fix all affected nodes before public announcement. Open communication can reduce “theoretical” vulnerabilities becoming “real” exploits.
3. End‑to‑end encryption beyond TLS
Encrypting payloads inside MQTT messages will become a best practice, ensuring that even authorized brokers cannot read sensitive data without proper decryption keys.
4. Consumer‑centric privacy dashboards
Users will demand dashboards that list every active session, device location, and camera feed. Real‑time revocation of tokens could become a standard feature in smart‑home apps.
Practical Takeaways for Homeowners
- Check for firmware updates regularly; DJI’s patches were rolled out automatically, but older devices may still run vulnerable software.
- Use strong, unique passwords for your smart‑home accounts and enable two‑factor authentication where possible.
- Limit cloud access by configuring your router to block outbound MQTT ports if you don’t use cloud features.
FAQ
- Can I still control my DJI Romo with a gamepad?
- Yes. The open‑source dji-romo-video-control project lets you use PS5 or Xbox controllers after proper authentication.
- Is the live video feed encrypted?
- DJI confirms the transport is encrypted with TLS, but the MQTT payloads were readable in cleartext due to missing ACLs.
- Did DJI fix all the vulnerabilities?
- DJI patched the permission issue, but Azdoufal reports additional flaws, such as bypassing the video‑PIN, that remain unaddressed.
- Are other smart‑home devices vulnerable?
- Recent reports show similar issues in Ecovacs, Dreame, and other robot vacuums, indicating a systemic problem across the industry.
What’s Next?
As IoT devices become more sophisticated, the line between convenience and privacy blurs. The Romo episode serves as a wake‑up call for manufacturers, regulators, and consumers alike.
Pro tip: Keep an eye on official security advisories from device makers and subscribe to reputable tech newsletters for the latest patches.
Have you experienced any smart‑home security quirks? Share your story in the comments or subscribe to our newsletter for weekly updates on privacy‑first tech.
