Overview
- Spanish software engineer Sammy Azdoufal said a PS5 control experiment unexpectedly connected his custom app to DJI servers and exposed data from thousands of Romo vacuums across about 24 countries.
- He reported seeing live camera feeds, hearing microphones, mapping home layouts, estimating locations via IP addresses, and collecting more than 100,000 device messages.
- DJI said the server-side vulnerability was resolved before public disclosure, with remediation completed last week, and Azdoufal found access had been blocked by Feb. 24.
- Azdoufal said he notified media rather than exploiting the access and emphasized he did not bypass protections or use brute-force methods.
- Mashable noted the Romo disappeared from DJI’s online store as of Feb. 26, as security experts urged stronger authentication and more rigorous development practices for smart-home devices.