A technology expert accidentally takes control of 7,000 robot vacuum cleaners and warns the company: “This shouldn’t be possible.”

Modern robot vacuums are not as harmless and “innocent” as many of us believe. The latest models from certain brands have built-in cameras to analyze the layout of the home and send the data to the manufacturer’s servers to optimize their cleaning routes and cycles using AI. However, what happens when someone gains unauthorized access to this private information? This is what happened to a technology expert who simply wanted to operate his device with a PlayStation 5 controller: instead of only accessing the control of his unit, he had access to more than 7,000 other robot vacuum cleaners around the world.

He wanted to control his robot vacuum cleaner with a PS5 controller and ended up controlling an army of more than 7,000 smart devices

On February 14, The Verge published a story that was as unusual as it was worrying for the privacy of the modern home. It recounted how Sammy Azdoufal, an artificial intelligence professional, was conducting a fun experiment with his DJI Romo robot vacuum cleaner. Broadly speaking, Azdoufal just wanted to create a method for controlling his unit with a PS5 controller, so he enlisted the help of Claude Code to reverse engineer DJI’s protocols and create a remote control app. However, the result was as chilling as it was unexpected.

Instead of only responding to his own robot vacuum cleaner, Azdoufal was perplexed when he discovered that his app allowed him to take control of 7,000 other DJI Romos around the world, as well as see and hear through their built-in cameras and microphones. Indeed, the code generated for his app by Claude Code allowed him to breach the rudimentary security of the servers, enabling this illicit access. Concerned, the AI expert did not think twice and notified both The Verge and the company itself to share his findings and have them patch the vulnerability as soon as possible.

This is a huge security breach that, fortunately, has been discovered by someone with programming knowledge and no malicious intent. Although these robot vacuum cleaners are smart devices that constantly collect telemetric data both to avoid domestic incidents and to optimize cleaning routes, and then send this data to the manufacturer’s cloud, the least we can expect is that this information is kept safe for privacy reasons.

A serious problem for user privacy that has yet to be resolved

According to The Verge’s exhaustive report, the problem is of almost unprecedented magnitude in the field of domestic robots. Sammy Azdoufal shared his concerns in great detail: his customized app allowed him access not only to live video and audio and remote control of any of the more than 7,000 devices it detected, but also to floor plans of thousands of homes sketched with a frightening degree of accuracy. Theoretically, this sensitive information, along with other identifiers such as IPs and MAC addresses, could be used to geolocate and profile specific homes that have a DJI Romo.

Fortunately, DJI identified the breach, classifying it as a permission validation vulnerability in the backend of its servers, and corrected the most serious problems. For his part, Azdoufal confirms that it is now impossible for him to remotely control or spy through the camera and microphone of other DJI Romo drones, but that he still has access to the video and audio of his own unit, as well as other more sensitive functions that he prefers not to reveal until access is completely restricted.

Follow MeriStation USA on X (formerly known as Twitter). Your video game and entertainment website for all the news, updates, and breaking news from the world of video games, movies, series, manga, and anime. Previews, reviews, interviews, trailers, gameplay, podcasts and more! Follow us now!