/data/photo/2026/03/01/69a3c37b2b3df.webp)
PlayStation Controller Hijack: 7,000 Robot Vacuums Exposed
A software engineer’s attempt to control his robot vacuum with a PlayStation 5 controller inadvertently opened a security hole, granting access to over 7,000 DJI Romo robot vacuums worldwide. The incident, reported by The Verge, highlights the growing security risks associated with the proliferation of “smart” devices.
How the Breach Happened
Sammy Azdoufal, the software engineer, initially aimed to connect his DJI Romo to a PS5 controller for more flexible control. Utilizing AI assistance from Claude to analyze communication between the Romo and DJI servers, he obtained a security token for his own device. Still, this token unexpectedly unlocked access to thousands of other Romo vacuums.
Azdoufal discovered he could access sensitive data from these devices, including:
- Cleaning routes
- Battery status
- Obstacle detection data
- 2D floor plans of homes
- Live camera and microphone feeds
- Approximate device locations via IP addresses
He demonstrated this access to The Verge, successfully locating a Romo unit belonging to one of their reviewers and accessing a live video feed of the reviewer’s apartment.
DJI’s Response and the Vulnerability
DJI acknowledged a “backend permission validation issue affecting MQTT-based communication” that allowed unauthorized access to live camera feeds. The company stated it had patched the vulnerability, but Azdoufal’s demonstration suggested the fix was not immediately effective.
The Romo vacuum has since disappeared from DJI’s online store, as of February 26, 2026.
The Broader Implications for Smart Device Security
This incident raises serious concerns about the security of Internet of Things (IoT) devices. The ease with which Azdoufal gained access, without actively attempting to hack the system, underscores the potential for accidental or malicious breaches. The ability to view live camera feeds and map home interiors represents a significant privacy risk for users.
The case also highlights the potential for vulnerabilities in the authentication processes of device manufacturers. Azdoufal emphasized he did not break any rules or bypass security measures; the access was granted due to a flaw in DJI’s server-side validation.
What Can Users Do?
While users are largely reliant on manufacturers to secure their devices, Notice steps to mitigate risk:
- Research before buying: Consider the security reputation of manufacturers before purchasing smart devices.
- Regularly update firmware: Install security updates promptly when they become available.
- Review privacy settings: Understand what data your devices collect and how It’s used.
- Network security: Secure your home Wi-Fi network with a strong password and enable encryption.
FAQ
Q: What is a robot vacuum?
A: A robot vacuum is an autonomous cleaning device that navigates and cleans floors without direct human control.
Q: What is MQTT?
A: MQTT is a messaging protocol often used in IoT devices for communication between devices, and servers.
Q: Is my home safe from this type of attack?
A: While DJI has addressed the immediate vulnerability, it’s a reminder to be vigilant about the security of all connected devices.
Q: What is a security token?
A: A security token is a piece of data that verifies a user’s identity and grants access to a system or resource.
Did you know? The DJI Romo leverages technology originally developed for drones, including obstacle detection and visual mapping.
Pro Tip: Change your Wi-Fi password regularly and leverage a strong, unique password for each of your connected devices.
Have you experienced any security concerns with your smart home devices? Share your thoughts in the comments below!
