After weeks of uncertainty, Chinese tech manufacturer DJI has confirmed it will pay $30,000 to software engineer Sammy Azdoufal for his discovery of significant security vulnerabilities in the company's Romo robot vacuum platform, according to reporting by The Verge. The payment, however, masks deeper concerns about the company's approach to product security and the broader vulnerability of internet-connected home devices.
Azdoufal, an AI strategy specialist based in Spain, discovered the flaws while attempting a simple customisation: controlling his new Romo with a PlayStation 5 controller using an AI coding assistant.Instead of accessing only his own device, the authentication system granted him control over approximately 6,700 robot vacuums located across at least 24 countries. What emerged was not a sophisticated hack buta blatant design flaw in how DJI's cloud infrastructure managed device permissions.
The technical cause was neither encryption failure nor complex infiltration.DJI's MQTT message broker, which handles real-time communication between Romo devices and the cloud, had no topic-level access controls, meaning any authenticated client could subscribe to wildcard topics and read traffic from every device on the network.The core problem was not encryption used during communication with servers, but that all data was stored in plain text and could be easily read by anyone who gained server access.
From those thousands of exposed devices, Azdoufal could accesslive camera feeds, microphone audio, cleaning routes, serial numbers, and detailed 2D floor plans of homes. He chose not to exploit this access for malicious purposes and instead reported it to DJI and The Verge.
DJI deployed automatic patches onFebruary 8 and 10, 2026, with fixes applied automatically and no user action required. The company stated the vulnerability had been identified through internal review in late January. Yet here lies a critical governance question:security researcher Kevin Finisterre is quoted in The Verge's coverage of the Romo breach; nine years after a similar 2017 DJI vulnerability, the same company faced the same category of problem, a detail that should embarrass DJI more than the breach itself.
More troubling still, significant vulnerabilities remain unfixed.Azdoufal identified a PIN bypass that allows viewing a Romo camera stream without the required security code, and a second vulnerability serious enough that The Verge agreed not to describe it while DJI works on a fix. DJI stated it would implement additional patches within one month, though that timeline has drawn scrutiny from security analysts who worry the company may lack institutional urgency.
The broader context complicates any straightforward assessment.While DJI claims the issue has been "resolved," cybersecurity experts have long warned that internet-connected robots and other smart home devices present attractive targets for hackers.AI-powered coding tools make it easier for people with less technical knowledge to exploit software flaws, potentially amplifying those worries.
DJI faces legitimate constraints. Building smart home devices requires cloud connectivity for features like remote monitoring and mapping. The company's challenge is not whether to connect devices to the cloud, but how to architect those systems with proper access controls. That is a design problem, not an innovation-versus-security trade-off.
From a fiscal responsibility perspective, DJI's $30,000 payment is modest compared to potential liability from a privacy breach involving thousands of homes. Responsible companies should view this as a cost of doing business in regulated smart home markets rather than as punishment. From a consumer protection standpoint, however, the fact that Azdoufal discovered such a significant vulnerability using publicly available tools while DJI's own security processes missed it for weeks raises legitimate questions about the adequacy of internal testing and third-party audits.
The incident illustrates a genuine tension between individual liberty (tinkerers should be free to modify their own devices) and collective security (those modifications should not expose others' privacy). Azdoufal's actions were technically lawful and ethically sound. Yet his success revealed systemic weakness.
A pragmatic path forward requires three things. First, DJI must complete the remaining patches on a transparent schedule and publish technical documentation of what went wrong. Second, manufacturers across the smart home sector must adopt mandatory security audits before cloud-connected devices reach consumers. Third, regulatory bodies should consider whether current smart home certification standards (including EU certifications DJI already holds) are sufficiently rigorous for devices with cameras and microphones in private spaces.
DJI's payment to Azdoufal signals that the company recognises the value of independent vulnerability discovery. Whether it signals a genuine institutional shift toward security-first design remains an open question. The answer will likely appear in whether the next vulnerability takes weeks or years to surface.