Software engineer accidentally gains control of 7,000 robot vacuums in a security flaw

A software engineer discovered that he could gain control of thousands of internet-connected vacuum cleaners after attempting to modify his own device, according to a report by The Guardian.

While attempting to use a PlayStation controller with his own robot vacuum, the engineer found that an authentication flaw in the manufacturer’s cloud system allowed access to nearly 7,000 robot cleaners in about 24 countries. The devices included live camera feeds, microphone audio and floor mapping data, all of which were linked to households around the world. Instead of using the access for personal gain, the engineer told a tech news site about the flaw.

This raised concerns about the security of smart appliances that connect to cloud servers. This case shows that design problems that come up in everyday consumer technology can expose big holes in privacy and cybersecurity all over the world.

PS5 controller experiment accidentally gains access to 7,000 robot vacuums

According to The Guardian, the engineer, identified as Sammy Azdoufal, was experimenting with his DJI Romo robot vacuum and a PlayStation 5 controller. He used an AI coding assistant called Claude Code to reverse-engineer how the device communicated with the manufacturer’s cloud servers.

While performing this work, he unexpectedly found that the authentication tokens and credentials he was using also permitted him to connect to and control other devices registered on the same system.The access extended to live video from onboard cameras, audio captured by microphones, battery status and internal floor maps created by the devices. The report noted that the engineer tested the flaw by controlling a unit in a journalist’s home after being provided with its serial number.

Security flaw exposed live camera, audio from 7,000 robot vacuums across 24 countries

The devices affected were located across approximately 24 countries, with nearly 7,000 individual vacuums accessible through the discovered flaw. The types of data involved included live streams from onboard cameras, audio from built-in microphones and detailed floor plans of users’ homes as mapped by the robots. According to the report, the engineer was able to demonstrate these capabilities within a short period after receiving a device’s identifier, underscoring how widespread the issue was.

How the issue was reported

After discovering the flaw, the engineer shared his findings with The Verge, a US-based technology news publication. The demonstration included real-time control of another person’s vacuum cleaner, showing battery levels and generating a floor map. The Verge documented the engineer’s account of how the vulnerability operated and the extent of access it provided.As per reports, the engineer did not attempt to exploit the access beyond illustrating the issue to reporters and instead took steps to report the problem to public forums.

Manufacturer response

The manufacturer of the robot vacuums, DJI (Shenzhen Da-Jiang Innovations Sciences and Technologies Ltd) initially stated that the problem had been resolved after the vulnerability was highlighted in the media.According to The Guardian report, DJI told Popular Science that the issue had been addressed through updates to its systems. However, the engineer maintained that not all vulnerabilities had been fixed, indicating that further work might be required to secure the system fully.

Broader implications for smart devices

The discovery has drawn attention to the security of connected household devices, often referred to as the Internet of Things (IoT). Devices such as robot vacuums, cameras and other appliances rely on cloud services for remote access and updates. A flaw in the backend authentication system of such services can allow unintended access to sensitive data or control systems.Security researchers have noted that vulnerabilities in smart devices can expose user information or device controls if authentication and data segregation are not properly implemented. The incident with the DJI Romo robots shows how a design oversight in one type of device could potentially affect large numbers of users across many regions.