The recent security flaw in DJI ROMO robotic vacuum cleaners This has raised serious concerns about what can happen when a device with a built-in camera and microphone that moves around our homes becomes a gateway for third parties. The case has had a significant impact across Europe, particularly in countries like Spain, where These devices are starting to gain a foothold in homes.
What seemed like a simple high-end cleaning robot ended up being a very clear example of how a poor permissions and authentication management It can expose the privacy of thousands of users. For several days, it was possible to remotely control ROMO vacuum cleaners, see what their cameras captured, listen through their microphones, and even draw detailed floor plans of homes without the owners' knowledge.
A domestic experiment that uncovered a global divide
The protagonist of this story is Sammy AzdoufalDirector of Artificial Intelligence strategy at the home rental company Emerald Stay and an app developer based in Barcelona. It all started when he decided, almost out of curiosity, Link your DJI ROMO vacuum cleaner to a PlayStation 5 controller to control it as if it were a remote-controlled car.
To achieve this, Azdoufal created a remote control application Using an AI assistant, he reverse-engineered DJI's communication protocols. His initial intention was simply to communicate with his own robot, but when he connected to the company's servers, something unexpected happened: thousands of vacuum cleaners that weren't his began responding.
Within minutes, his laptop identified around 6.700 to 7.000 devices spread over 24 countrieslater gaining visibility over some 10.000 devices between ROMO robots and other connected equipment. Every few seconds, the devices sent messages with status data, cleaning routes, serial numbers, and other technical information that accumulated to more than 100.000 MQTT messages in just nine minutes.
The seriousness of the matter is not limited to the number of devices affected, but also to the fact that access was achieved with a single element: the private token extracted from Azdoufal's own robot. That identifier, intended for servers to recognize a legitimate user, acted in practice as a kind of "master key" which opened the door to thousands of other robots.
Specialized media such as The Verge They verified the vulnerability firsthand: a journalist allowed Azdoufal to try to control his ROMO from Barcelona, and he managed to remotely control the robot simply by knowing its serial number, without the need for additional passwords.
What could the attackers see and do with the ROMO
The scope of the vulnerability goes far beyond remotely turning a vacuum cleaner on or off. Thanks to this flaw in permission validation, anyone who exploited the problem could control the robot's movement and access extremely sensitive information without any authorization from the owner.
The accessible data and functions included the integrated cameras of the most advanced modelsThis allowed users to view live images from inside homes. Furthermore, the system provided anyone who connected with access to... 2D maps of the houses generated during the cleaning sessions, with the layout of each room, hallway and obstacle detected.
In addition to all this, there was the possibility of consulting parameters such as the battery level, exact route from the robot, the rooms it was cleaning at any given time, or the objects it had encountered along its path. With this data, an attacker could... infer habits and routines, knowing when a house was empty or locating particularly sensitive areas within a home.
In some cases, the robot can also serve as a starting point for figuring out the approximate location from the user, either through the IP address or associated network information. This type of combination—home maps, possible images, audio, and technical data—turns a simple appliance into a very powerful source of home intelligence.
Azdoufal insists that, during his tests, He did not resort to brute force techniques Nor did he breach encrypted systems in the traditional way. According to his own testimony, he simply used his device's token and found that the servers, due to a design flaw, were providing him with data from thousands of other users.
How the vulnerability works: the token and backend problem
At the heart of this incident is the communication system between the ROMO robots and the DJI Home platformwhich uses the MQTT protocol to send and receive data in real time. This technology is common in the Internet of Things because it is lightweight and efficient, but it requires a rigorous permit management so that each device can only access its own information.
As the company itself explained, the problem lay in a permission validation failure in the backendnot in the encryption of communications. That is, the data traveled securely over the network, but once inside DJI's infrastructure, the controls that determine what each client can see were not properly configured.
In practice, Azdoufal's robot's private token acted as a global identifier This allowed the system to subscribe to messages from other devices, receive their telemetry, and even execute remote actions. The flaw caused the system to accept these requests as legitimate, without properly verifying that each request came solely from the authorized bot.
This type of vulnerability is especially serious because it occurs "on the server side." Even if the user has an encrypted connection and a seemingly secure app, if the backend doesn't implement security measures, the vulnerability can still be compromised. strict access control policiesAn attacker with the right knowledge can move quite freely within the manufacturer's cloud.
Cybersecurity experts point out that cases like this demonstrate that encryption alone is not enough: TLS protects the channelHowever, this does not prevent a misconfigured service from delivering sensitive information to the wrong recipient. That's why these measures are so important. external security audits and bug bounty programs, especially for products that literally go into the user's home.
DJI's response: quick patches and a message of calm
Following Azdoufal's announcement of the discovery and its subsequent publication in international media, DJI has confirmed that the vulnerability has already been addressed. completely resolvedAccording to company spokesperson Daisy Kong, the company internally detected a problem with DJI Home in late January and began rolling out patches shortly thereafter.
Specifically, the firm claims to have launched a First patch on February 8th, followed by a further update on February 10 to ensure that the correction was applied to all service nodesThe company maintains that this second update was the one that finally extended the solution to its entire infrastructure, reinstating the permission controls that had initially failed.
DJI emphasizes that the failure was limited to one theoretical possibility of unauthorized access live video and other data from the ROMOs, and that the actual cases detected were “extremely rare” and primarily associated with security researchers who were testing the devices. Furthermore, the company emphasizes that Communications were not transmitted in plain text and that the encryption remained active at all times.
After receiving Azdoufal's detailed report, the company reiterated that “There is no evidence of a broader impact"about its user base and that the problem is already solved. However, the researcher himself has admitted to the US media outlet that he has still been able to detect another serious failure related to the ROMO, which for the moment prefers not to make public so as not to facilitate its exploitation.
The company insists that they maintain strict privacy and security standardswho have invested in industry-level encryption solutions and have a bug bounty program to encourage responsible reporting of such discoveries.
The impact on users in Spain and Europe
In the European context, where the Personal data protection Given its heavy regulation under the GDPR, an incident like the DJI ROMO breach does not go unnoticed. Although the company insists that the number of actual victims has been very limited, the fact that it was technically possible to access cameras, microphones, and home maps The fact that thousands of users are affected is, in itself, a cause for concern.
In countries like Spain, where more and more households are opting for home automation and connected devices, this case serves as a reminder that A robot vacuum cleaner is not just a household appliance.It is a mobile sensor that travels throughout the entire house and can generate a very precise picture of how a family lives, what spaces they use, where they store certain objects, or when they are usually absent.
European regulators and privacy advocates have long warned of the Risks of devices with camera and microphone integrated devices, from smart speakers to video doorbells and home security cameras. The ROMO incident adds to a growing list of cases showing that not all brands take security implications equally seriously.
Furthermore, since it is a company with global infrastructure and distributed serversFurther questions arise regarding exactly where the data is stored, who can access it, and under what jurisdiction it is managed. While encryption makes it difficult for external third parties to access the data, the company's own employees or internal departments can, in theory, process this information, which raises the bar for accountability required of manufacturers and suppliers.
For European users, this type of incident often also translates into a increased regulatory scrutiny and in pressures to adopt specific cybersecurity certifications for Internet of Things products intended for the home, something that is already being debated both in Brussels and in different national capitals.
What measures can owners of robot vacuum cleaners take?
Although DJI insists that No further action is required From the users' perspective, and given that the patches have already been applied, the episode makes clear some practical recommendations that can help reduce risks with any connected robot vacuum cleaner, whether or not it is of this brand.
Firstly, it is advisable Check periodically for firmware updates and the associated mobile app. Most manufacturers enable automatic updates, but it's always a good idea to check the settings to ensure your device is up to date, especially after news like this.
It is also recommended limit permissions that are granted to applications: for example, assessing whether it is strictly necessary to enable remote access from outside the home, or whether it makes sense for the app to have permanent permissions for the mobile's camera or microphone when specific functions are not being used.
Another prudent practice involves control the areas of the house the areas where the robot moves. Many models allow you to set up restricted areas or virtual walls. Preventing the vacuum cleaner from entering particularly sensitive rooms—such as offices with documents, children's rooms, or areas where private information is handled—can reduce the impact of a potential incident.
Finally, it is useful to maintain a critical view on connected devices that are incorporated into the home: check the manufacturer's safety history, look to see if it has had previous problems, review what type of data it collects and how it stores it, and do not assume that just because it is a popular product it is automatically safe.
The case of DJI ROMO It has become clear that even a brand with technological expertise and a broad international presence can overlook a permission validation failure with potentially serious consequences. Home digitalization brings convenience and automation, but it also means acknowledging that every connected device is a potential weak point if something goes wrong in its design or maintenance.
With the vulnerability now fixed but with new research underway, the incident serves as a wake-up call for both manufacturers and users: the safety of a robot vacuum cleaner is not measured only by how well it cleans, but by how well it protects what it sees, hears, and learns from the house it works in.
