How A Man With A PS5 Controller Became The Commander Of An Army Of Robot Vacuum Cleaners

In a story that blends innocent tinkering with a stark reminder of IoT vulnerabilities, a Spanish software engineer named Sammy Azdoufal recently found himself in unexpected situation.

At the time, Azdoufal, who leads AI strategy at a property management and travel company, had just purchased a DJI Romo, a new line of high-end robot vacuum cleaners from DJI, the brand best known for its drones, cameras, and gimbals.

Launched in late 2025 or early 2026, DJI Romo marks the company's first major move into the smart home cleaning market. The product brings DJI's signature strengths: advanced sensors, sophisticated navigation systems, and precision engineering.

These are technologies originally refined for aerial drones, now deployed at floor level.

But while DJI successfully translated its hardware expertise to the living room, it appears to have overlooked something critical along the way: security, and in a very serious way.

DJI Romo is a complex machine indeed.

First off, theRomo lineup includes three main models: the entry-level Romo S, the mid-range Romo A, and the premium Romo P. They share core features like an impressive 25,000 Pa suction power (among the highest available), dual fisheye cameras combined with solid-state LiDAR for extremely accurate mapping and obstacle avoidance, and up to about three hours of battery life on lower settings.

The robots handle both vacuuming and mopping (with variations like a dedicated water tank on some versions), offer multiple cleaning modes (such as sweeping + mopping, mopping only, or custom zoned cleaning), and include extras like automatic dust-box drying to prevent mold and odors.

Like previously said, what sets the Romo apart is its "drone-grade" tech: flagship-level perception systems for near-zero-intervention navigation, meaning it dodges furniture, cables, and pet messes with exceptional intelligence.

The design leans futuristic and elegant, with some models featuring translucent or transparent elements on the dock and body for a premium aesthetic.

For DJI fans, avid users of smart home devices, tech-savvy individuals, hobbyists and others alike, the Romo lineup is a welcome addition to their world.

But then it was realized that the three Romos came with severe security issue.

This was realized one day, when Azdoufal was tinkering with his new Romo, and decided to mod it for fun.

His goal was simple: he wished to connect the high-end autonomous vacuum cleaner to his Sony PlayStation 5 controller.

The idea is that, he wanted to steer it like a character in a video game.

Using an AI coding assistant from Anthropic called Claude Code, Azdoufal reverse-engineered the vacuum's communication protocol with DJI's cloud servers. He extracted a private authentication token tied to his own device, built a custom remote-control app, and got it working.

But what he didn't expect was that the same credentials granting him access to his Romo would unlock thousands of others.

Suddenly, his app was receiving responses from vacuums across 24 countries, including the United States, Europe, and China.

In total, Azdoufal could control around 6,700 to 7,000 devices, depending on the count, right from his living room.

The implications were chilling.

Through this backend security flaw, which can be described as a misconfiguration in how the servers handled authentication, Azdoufal could pull up detailed 2D floor plans of users' homes, view live camera feeds from the vacuums' onboard sensors, listen to audio via built-in microphones, check battery levels and cleaning status, and even remotely command the robots to move.

He collected over 100,000 messages from the devices and could approximate locations using IP addresses.

In one demonstration for a reporter, he entered a serial number and within minutes observed a vacuum actively cleaning a living room, complete with its floor map and battery percentage.

Azdoufal stressed that he never intended to breach systems or exploit anyone.

"I didn’t infringe any rules, I didn’t bypass, I didn’t crack, brute force, whatever," he said, emphasizing that the access stemmed directly from how DJI's servers were coded. He didn't misuse the power, nor become their commander for anything more than a brief moment of curiosity, choosing restraint over control, and observation over exploitation.

Azdoufal reached out responsibly.

Initial emails to DJI went unanswered, but after sharing details with major publications, the company acted swiftly.

DJI rolled out fixes in early February 2026, with updates on the 8th and 10th, and publicly thanked Azdoufal for his responsible disclosure on X.

Experts have pointed to this as a classic case of security being treated as an afterthought in the rush to connect everyday appliances to the internet, noting that many manufacturers adopt a "move fast and break things" mindset, often failing to enforce unique user credentials or anticipate risks in cloud-device interactions.

Robot vacuums, which map intimate home layouts and increasingly include cameras and mics for better navigation, have become prime targets for such flaws. And one hacked can turn it into a powerful surveillance tool without owners' awareness.

The incident underscores broader concerns about smart home ecosystems.

With millions of households relying on connected devices, a single authentication slip can expose private spaces on a massive scale.

Azdoufal's accidental discovery, born from a playful experiment with a game controller, ultimately helped patch a vulnerability before malicious actors could exploit it. DJI has since resolved the main issue, though Azdoufal hinted at uncovering additional flaws not yet fully detailed.

In the end, what started as one man's quest for joystick-powered cleaning ended up safeguarding thousands of homes from unintended spying.