A routine experiment in automation took an unexpected turn when a software engineer inadvertently uncovered a security flaw that exposed thousands of DJI Romo robot vacuums to unauthorized access. The discovery revealed how a single oversight in backend permissions could transform a smart home device into a global surveillance tool—without the owners’ knowledge.
The engineer, who had set out to integrate gamepad control for his own DJI Romo vacuum, used a custom tool to analyze the communication traffic between the device and DJI’s servers. What began as a personal project quickly escalated when the system’s security token provided access not just to his vacuum, but to an entire network of Romo devices worldwide. Within minutes, he had mapped the locations, cleaning routes, and even live camera feeds of thousands of robots across two dozen countries.
The vulnerability stemmed from a backend permission validation error in the MQTT-based communication protocol, which DJI confirmed as a potential entry point for unauthorized access to live video feeds from affected devices. The company acted swiftly, releasing a patch within days of being notified. However, the incident raises broader questions about the security of internet-connected smart home devices, particularly those with built-in cameras and microphones.
What Was Exposed?
For a brief period, the engineer could
- Access live camera feeds from thousands of Romo vacuums.
- Retrieve detailed floor plans of users’ homes, reconstructed from spatial data collected during cleaning cycles.
- Monitor charge states, cleaning routes, and obstacle encounters in real time.
- Estimate the geographic locations of users based on IP addresses.
The discovery underscores a growing trend in smart home security, where vulnerabilities in connected devices can have far-reaching consequences. Earlier this year, similar flaws in competing robot vacuum systems were exploited to harass users and compromise privacy. While DJI has addressed the immediate issue, the incident serves as a reminder of the importance of rigorous security protocols in IoT devices.
A Patch, But Lingering Concerns
DJI has acknowledged the flaw and confirmed that a fix was deployed to mitigate the risk. The company has also pledged to address remaining vulnerabilities within weeks. Yet, the episode highlights a persistent challenge in the smart home ecosystem: the balance between convenience and security. Features like built-in microphones—often included for voice control or diagnostics—can become unintended liabilities when not properly secured.
For users, the takeaway is clear: while smart home devices offer undeniable convenience, they also introduce new layers of risk. Regular software updates and cautious adoption of connected technology remain essential practices in an era where the line between innovation and exposure grows increasingly thin.
