Overview
- Software engineer Sammy Azdoufal said a PS5 controller project and an AI coding assistant led him to enumerate roughly 6,700–7,000 DJI Romo vacuums across about 24 countries.
- Accessible data reportedly included live video, microphone audio, detailed floor plans, serial numbers, IP addresses, and status information, effectively revealing activity inside homes.
- DJI acknowledged a backend MQTT permission validation issue, said it began remediation in late January, and deployed two updates in early February that it says resolved the primary flaw.
- The researcher claims additional weaknesses persist, including a possible PIN bypass and concerns about server-side data handling; DJI says it is strengthening PIN verification and reviewing the other claims.
- There is no public evidence of widespread malicious exploitation, but the case spotlights systemic smart‑home privacy risks tied to cloud‑managed devices and how AI tools can speed protocol analysis.