- A user accidentally gained access to thousands of DJI Romo vacuum cleaners around the world
- Sensitive data, including floor plans and live video feeds, was exposed online.
- The encryption of communications was intact, but the server storage remained completely unprotected.
One hobbyist discovered that his DJI Romo vacuum cleaner was inadvertently allowing access to thousands of other devices.
Sammy Azdoufal, an artificial intelligence strategist, used reverse engineering to understand how Romo communicated with DJI servers. He did not hack DJI systems or bypass encryption, and he did not use brute force or other illicit methods.
He was attempting to control his own robot using a PlayStation controller when the protocol returned private tokens for additional vacuum cleaners, including more than 6,700 devices located in multiple regions, including the United States, Europe, and China.
Discovery and technical details.
The main problem was that the device’s data was stored in plain text on the server, allowing anyone who gained access to read floor plans, live video feeds, and microphone inputs.
The encryption that protected communications was flawless, but data storage exposed sensitive information to anyone who had access.
Azdoufal immediately reported the vulnerability to DJI and the company issued updates to fix several issues without requiring user intervention.
Some vulnerabilities remain, including the ability to stream video without a security PIN and another undisclosed issue due to its severity.
These remaining issues indicate that server-side access control and data storage still need attention.
Unfortunately, this is not an isolated case: an engineer previously discovered that his iLife A11 smart vacuum cleaner was continually sending logs and telemetry to the manufacturer.
When it blocked reporting over its network, the company disabled the device remotely.
Through technical adjustments, it restored local functionality, demonstrating that cloud connectivity is not strictly necessary for the device to function properly.
Many consumers buy smart devices out of convenience, but incidents like these show potential risks when ordinary users can accidentally access private data.
Live videos, floor plans, and other information could be exposed if attackers exploit similar vulnerabilities.
The use of firewall software, careful monitoring and endpoint protection for network activity can reduce exposure, and broader use of artificial intelligence tools could also help identify unusual patterns, although this does not guarantee detection.
Users should be aware that even minor configuration errors or design flaws can create significant privacy risks.
The case of the DJI Romo vacuum cleaners indicates that IoT devices can prioritize convenience over strong data protection, since while this discovery was accidental and responsibly reported, the underlying design leaves sensitive personal information vulnerable.
This raises valid concerns about both unintended access and potential targeted attacks in the future.
Through Tom Hardware
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
