A robot vacuum is supposed to learn your floors — not your neighbors’.
Yet for a brief, slightly surreal moment, nearly 7,000 homes across 24 countries were technically one joystick away from being driven like remote-controlled toys.
It started innocently enough. A software engineer named Sammy Azdoufal wanted to steer his DJI Romo with a video game controller. Not to spy. Not to cause chaos. Just to pilot a $2,000 cleaning robot around the living room like an overqualified RC car.
Instead, he found himself holding the digital keys to an accidental robot armada.
Meet the Vacuum That Knows Your Kitchen
The robot in question is the DJI Romo, an autonomous vacuum roughly the size of a large terrier when docked. It navigates homes using a suite of sensors, mapping rooms, detecting obstacles, and quietly building an intimate spatial understanding of your domestic life.
It needs that awareness to function. A modern robot vacuum doesn’t just bounce randomly anymore. It distinguishes kitchens from bedrooms. It remembers layouts. It optimizes routes. To do that, it collects visual data and environmental information — some of which is stored on DJI’s cloud servers rather than locally on the device.
That cloud connection is the magic.
And, briefly, the problem.
One Token to Rule Them All
While reverse-engineering how his Romo communicated with DJI’s servers, Azdoufal used an AI coding assistant to help decode the system. His goal was simple: extract a security token proving he owned his robot so his custom controller app could talk to it.
Instead of verifying a single device, the backend treated him as the rightful owner of thousands.
According to reporting from Popular Science, the credentials granted access not just to his own vacuum but to nearly 7,000 others. Live camera feeds. Microphone audio. Floor maps. Status data. Even approximate geographic locations based on IP addresses.
It wasn’t a cinematic “hack.” No hoodies. No brute force attacks. Just a security oversight that opened a door far wider than intended.
In different hands, that door could have led somewhere darker.
The Domestic Surveillance Machine We Almost Had
Robot vacuums operate in the most private areas of human life. Bedrooms. Kitchens. Hallways cluttered with shoes and secrets. They build 2D maps of homes. They carry cameras and microphones. They roam unsupervised.
For a brief window, one curious engineer could have activated microphones in thousands of living rooms. Could have browsed floor plans. Could have watched.
He didn’t.
Instead, he reported the issue. DJI says it identified the vulnerability in late January and deployed patches on February 8 and 10. The fix was automatic. No user action required.
The episode lasted days. The implications will linger longer.
Smart Homes, Soft Targets
This story lands at a time when smart home anxiety is already simmering.
Consumers have been wrestling with the privacy trade-offs of connected devices. Doorbells that upload footage. Cameras that can be accessed remotely. Voice assistants that sit patiently in kitchens. Each device promises convenience. Each requires trust.
As of 2020, 54 million U.S. households had at least one smart home device installed. Those who own one often want more. Meanwhile, companies are building increasingly sophisticated home robots — including humanoid models designed to wash dishes and perform chores.
For these machines to work effectively, they must know us. They must see. Hear. Map. Learn.
And every additional sensor is also a potential vantage point.
AI as Both Lockpick and Flashlight
There’s another quiet subplot here: AI coding tools.
Azdoufal reportedly used one to help understand how the vacuum communicated with DJI’s servers. These tools lower the barrier to technical experimentation. That’s wonderful for innovation. It’s less wonderful when vulnerabilities are involved.
When reverse-engineering becomes easier, so does discovering — and potentially exploiting — flaws.
The same tools that help someone build a joystick controller could, in less ethical hands, help someone build a surveillance dashboard.
The Robot Army That Wasn’t
The imagery is irresistible: thousands of vacuums quietly idling in dock stations around the world, momentarily exposed to outside command. A silent mechanical legion, armed not with lasers but with microfiber mops.
In reality, nothing dramatic happened. No rogue vacuums racing through hallways. No synchronized microphone activation. No cinematic cyber takeover.
Just a reminder.
Connected devices are not merely appliances anymore. They are networked sensors in intimate spaces. They are cloud-dependent robots that understand the shape of your home better than some guests do.
For a few days, one engineer accidentally became their unlikely general. Then the patches rolled out. The joysticks returned to normal duties. And somewhere, thousands of vacuums resumed their quiet patrols — blissfully unaware they had almost joined history’s strangest robot army.