Table of Contents
Are Smart Home Devices Secure? Understanding the DJI Romo Data Breach Discovery
A technology enthusiast’s weekend project exposed a critical vulnerability affecting thousands of connected robotic vacuum cleaners, highlighting significant concerns about smart home device security and data privacy.
The Accidental Discovery
Sammy Azdoufal, an AI executive at French property management firm Emerald Stay, attempted a straightforward modification: controlling his DJI Romo robotic vacuum with a PlayStation 5 controller. During development of his custom remote control application, he encountered an unexpected result. His app didn’t merely connect to his personal device—it granted access to approximately 7,000 DJI robotic vacuums worldwide.
The discovery wasn’t intentional intrusion. Azdoufal extracted his device’s private authentication token, a credential that identifies legitimate users to DJI’s servers. This single token, combined with any 14-digit device identifier, provided complete system access without additional verification layers.
Understanding DJI’s Market Position
DJI (Da-Jiang Innovations) operates from Shenzhen, China, where founder Frank Wang established the company in 2006. The manufacturer dominates the civilian drone market, producing quadcopters for photography and commercial applications. US authorities have restricted DJI drone usage in sensitive operations due to security considerations.
The company expanded beyond aerial devices with the DJI Romo robotic vacuum series, launched in late 2025. These products incorporate drone-derived technology, including LiDAR navigation systems and advanced obstacle detection. Models range from basic units to versions featuring self-cleaning docking stations.
What the Vulnerability Exposed
The security gap allowed unauthorized parties to:
- Access live camera feeds from devices, capturing both video and audio
- View complete 2D floor plans that robots generated while mapping homes
- Monitor real-time cleaning patterns and room-by-room activity
- Track device locations through IP address data
- Send remote control commands to any connected unit
Every three seconds, these robots transmitted MQTT data packets to DJI servers. Each transmission contained serial numbers, cleaning progress, camera observations, distance traveled, charging schedules, and encountered obstacles. This continuous data stream flowed without proper authentication barriers.
Azdoufal demonstrated the vulnerability to journalists, providing real-world evidence of the security failure. He accessed DJI’s development servers alongside production systems serving the United States, China, and European Union markets.
The Technical Breakdown
The flaw centered on inadequate access verification. DJI’s infrastructure failed to implement proper authorization checks beyond the initial authentication token. Once the system confirmed a valid token existed, it granted blanket access to any device identifier provided, regardless of ownership relationships.
This represents a fundamental security architecture error. Proper implementation requires multiple verification layers:
- Token validation confirming user identity
- Device ownership verification linking specific units to account holders
- Permission scope limits restricting data access to owned devices only
- Activity logging to detect unusual access patterns
Manufacturer Response and Broader Implications
After receiving reports from Azdoufal and media outlets, DJI addressed the vulnerability within hours, blocking unauthorized server communication. The company indicated awareness of the access rights verification error, claiming a fix was already under development.
This rapid response, while positive, raises troubling questions about cloud-connected appliances. These devices continuously upload detailed home mapping data, visual recordings, and behavioral patterns to remote servers. For DJI products, this information routes through Chinese infrastructure, where legal frameworks permit government access to corporate data.
The incident mirrors previous smart home security concerns. Connected devices operating in residential spaces create persistent surveillance capabilities. When manufacturers implement insufficient security measures or maintain data on accessible servers, users face exposure risks they rarely consider during purchase decisions.
Privacy Considerations for Smart Home Owners
This discovery demonstrates how convenience features create potential vulnerabilities. Cloud connectivity enables remote control and software updates, but it also establishes data collection pipelines. Consumers should evaluate several factors when selecting connected home devices:
- Data storage locations and jurisdictional access laws
- Encryption standards for transmitted information
- Local versus cloud processing options
- Manufacturer security track records
- Third-party security audit availability
The DJI Romo incident serves as a cautionary example. A single hobbyist, working independently without malicious intent, accessed thousands of private home environments through a straightforward technical process. This suggests the barrier to entry for deliberate intrusion remains disturbingly low when manufacturers implement inadequate security frameworks.
Organizations operating in sensitive environments should particularly scrutinize connected device deployments. Mapping data and visual surveillance capabilities present strategic intelligence risks when accessible through inadequately secured channels.