Executive Summary
- A security researcher accidentally uncovered a critical vulnerability in DJI Romo robot vacuums, granting remote access to thousands of devices globally.
- The flaw allowed unauthorized access to live camera feeds, microphones, real-time floor plans, and device location data without server-side hacking.
- DJI implemented patches shortly after being notified, but initial statements were incomplete, raising concerns about transparency and the full extent of remediation.
- This incident highlights persistent security challenges in the smart home IoT sector and the critical need for robust access controls beyond basic encryption.
The Deep Dive: Accidental Discovery & MQTT Vulnerability
What began as a playful attempt by Sammy Azdoufal to control his new DJI Romo vacuum with a PS5 gamepad quickly escalated into the discovery of a profound security flaw. Azdoufal, using AI tools like Claude Code, reverse-engineered DJI's communication protocols. Instead of merely controlling his own device, he found that extracting his personal private token – the key for legitimate access – inexplicably granted him access to an 'ocean' of other DJI devices. This wasn't a server hack; rather, DJI's backend systems failed to properly validate permissions, allowing an authenticated client to access data far beyond their intended scope.
The Technical Breakdown: MQTT & Data Exposure
The core of the vulnerability lay in DJI's implementation of the MQTT (Message Queuing Telemetry Transport) protocol. Devices were 'phoning home' with sensitive data every three seconds, including serial numbers, cleaning status, environmental observations, travel distance, and battery life. Azdoufal's method allowed him to subscribe to wildcard MQTT topics, revealing messages from approximately 7,000 DJI Romo vacuums and over 10,000 total DJI devices (including DJI Power stations) across 24 countries. Crucially, while DJI claimed TLS encryption for data in transit, Azdoufal demonstrated that at the application layer, once authenticated, data was visible in 'cleartext' due to a lack of proper topic-level access controls (ACLs). This meant that even if the 'pipe' (TLS) was secure, the 'contents inside the pipe' were accessible to unauthorized but authenticated participants.
The accessible data was extensive: live video feeds from onboard cameras, audio from microphones (a feature Azdoufal found 'weird' for a vacuum), real-time 2D floor plans of homes, and rough geographical locations via IP addresses. Azdoufal even demonstrated accessing a colleague's review unit using only its serial number, instantly generating an accurate floor plan and seeing its status.
Specs & Data: Vulnerability Overview
| Aspect | Details |
|---|---|
| Vulnerability Type | Backend Permission Validation, MQTT Topic-Level Access Control Failure |
| Affected Devices | DJI Romo Robot Vacuums, DJI Power Portable Power Stations |
| Estimated Exposed Devices | ~7,000 (Romo Vacuums), ~10,000+ (Total DJI devices) |
| Accessible Data | Live Camera Feed, Live Microphone Audio, 2D Home Floor Plans, Device Location (IP), Serial Numbers, Cleaning Status, Battery Life |
| Exploit Method | Extracting own private token, subscribing to wildcard MQTT topics without proper ACLs |
| DJI Remediation Status | Initial patch Feb 8, Follow-up update Feb 10; stated 'fully resolved' |
Market Impact & Industry Ramifications
This incident sends ripples through the smart home industry, particularly for companies manufacturing IoT devices that integrate cameras and microphones into private spaces. It gravely impacts trust, especially for Chinese tech firms already under scrutiny in Western markets. The fact that a researcher, not a professional hacker, could uncover such a widespread vulnerability so easily highlights a systemic issue in IoT security. It also underlines the imperative for manufacturers to go beyond basic encryption and implement granular, topic-level access controls on their MQTT brokers. The reliance on AI tools like Claude Code for reverse-engineering also points to new frontiers in both vulnerability discovery and potential exploitation. Furthermore, DJI's initial lack of complete transparency regarding the fix — claiming full resolution when the vulnerability was still partially present — will erode consumer confidence and serves as a stark warning to other companies about public relations during security crises.
The Verdict: A Troubling Reminder of IoT Security Gaps
While DJI acted relatively swiftly to deploy patches, the exposure of thousands of private home environments to unauthorized access is a severe security lapse. The ease with which this vulnerability was discovered and the breadth of accessible personal data underscore the critical need for stringent security by design in all IoT devices, especially those with cameras and microphones. This event is a stark reminder that 'connected' often means 'exposed' if proper architectural safeguards like robust access control lists are not meticulously implemented. Consumers must remain vigilant about the privacy implications of smart devices, and manufacturers must prioritize security over features, ensuring complete transparency when vulnerabilities are discovered and remedied.
