A software engineer in Spain had the surprise of his life when he found himself in control of thousands of robots in what was supposed to be a pet project. Sammy Azdoufal set out to customize his new Chinese-made DJI Romo robot vacuum, a high-end autonomous cleaner that comes with a price tag of $2,000 that maps homes, mops floors, and navigates obstacles with onboard sensors, according to Popular Science.
Dissatisfied with the manufacturer's app, Azdoufal aimed to steer the device using a PlayStation 5 controller (like any intelligent man would) and that’s when things got weird.
Using an AI-powered coding assistant, Azdoufal reverse-engineered the vacuum's communication protocol with DJI's cloud servers and unwittingly uncovered a critical backend vulnerability. The authentication token for his single device granted access to live camera feeds, microphone audio, detailed floor maps, and operational status from nearly 7,000 other Romo units deployed across 24 countries.
Azdoufal leads AI strategy at a vacation rental home company; when he told me he reverse engineered DJI’s protocols using Claude Code, I had to wonder whether AI was hallucinating these robots. So I asked my colleague Thomas Ricker, who just finished reviewing the DJI Romo, to pass us its serial number.
With nothing more than that 14-digit number, Azdoufal could not only pull up our robot, he could correctly see it was cleaning the living room and had 80 percent battery life remaining. Within minutes, I watched the robot generate and transmit an accurate floor plan of my colleague’s house, with the correct shape and size of each room, just by typing some digits into a laptop located in a different country.
...
Separately, Azdoufal pulled up his own DJI Romo’s live video feed, completely bypassing its security PIN, then walked into his living room and waved to the camera while I watched. He also says he shared a limited read-only version of his app with Gonzague Dambricourt, CTO at an IT consulting firm in France; Dambricourt tells me the app let him remotely watch his own DJI Romo’s camera feed before he even paired it. -The Verge
In malicious hands, attackers could have monitored private spaces, eavesdropped on conversations, or even remotely maneuvered the devices without owners' knowledge. IP addresses provided approximate locations, compounding the privacy breach.
The Verge alerted DJI, which acted swiftly. The company identified the issue during an internal review in late January 2026, deployed an initial patch on February 8, and completed a follow-up update by February 10.
The recent security lapse in the robot vacuum will likely fuel U.S. regulators' scrutiny of the Chinese company. Just two months after the Federal Communications Commission added foreign-made drones and critical components, including those from DJI, to its Covered List in December 2025—effectively blocking approvals for new models—DJI filed a petition last week challenging the decision in the U.S. Court of Appeals for the Ninth Circuit. The company argues the FCC acted without sufficient evidence of national-security threats, procedural flaws, and violations of due process.
"It carelessly restricts DJI’s business in the U.S. and summarily denies U.S. customers access to its latest technology," the Chinese dronemaker said in a statement obtained by Reuters.
The Federal Communications Commission decision in December meant that DJI, Autel and other foreign drone companies will not be able to obtain the necessary FCC approval to sell new models of drones or critical components in the U.S but it can continue to sell existing versions, Reuters said.
Last March, FCC Chairman Brendan Carr announced the launch of a broad investigation into whether companies aligned with the Chinese Communist Party continue to conduct business in the U.S., despite their equipment and services having been designated as posing unacceptable risks to national security.
The probe, the first major effort by the agency's newly established Council on National Security, targets entities previously added to the FCC's Covered List under the Secure and Trusted Communications Networks Act. Placement on the list prohibits new FCC equipment authorizations for those companies' products, effectively barring their importation, marketing and sale of new models in the U.S., and restricts their use in networks supported by federal funds.
“The FCC has taken concrete actions to address the threats posed by Huawei, ZTE, China Telecom, and many other entities that pose an unacceptable risk to America’s national security, including by doing Communist China’s bidding,” Carr said in a statement at the time.
“We have reason to believe that, despite those actions, some or all of these Covered List entities are trying to make an end run around those FCC prohibitions by continuing to do business in America on a private or ‘unregulated’ basis. We are not going to just look the other way,” he added.
