There is a category of mishap peculiar to modern technology: the accidental discovery that upends everything. Sammy Azdoufal was not looking for trouble. He wanted only to steer his new DJI Romo robot vacuum with a PlayStation 5 controller rather than fumbling through a smartphone app. It was a small ambition, the kind that leads software engineers into rabbit holes of reverse-engineering and API exploration. What he found instead was not a clever workaround. It was a gaping hole in the security of 7,000 robot vacuums scattered across 24 countries.
The story begins with the mundane.Azdoufal wanted to control his DJI Romo using his PS5 gamepad, so he developed a custom controller app that used his security token to verify ownership of the device by reverse-engineering DJI's cloud servers with the assistance of an AI coding tool. This is not exotic hacking. It is the kind of tinkering that any capable engineer might undertake on a Sunday afternoon.
But DJI's backend failed at what should be elementary: proper authentication.Instead of verifying a single robot, DJI's backend granted broad access rights to approximately 7,000 robot vacuum cleaners located in 24 countries, along with their sensor data stored in the cloud. Azdoufal's personal security token became, in effect, a master key to everyone else's home.
As a result of the authorization flaw, Azdoufal gained access to 7,000 live camera feeds with audio and could even compile 2D floor plans of homes operated by other DJI Romos. He could alsoidentify the geographical locations of these homes based on the IP addresses provided by the backend. The vulnerability was not subtle. It was wholesale exposure of domestic privacy to anyone with the technical knowledge to replicate what Azdoufal had done.
What matters here is Azdoufal's choice.He chose to disclose the information rather than abuse it, alerting The Verge, which contacted DJI, and DJI fixed the problem by mid-February. This restraint deserves recognition. The alternative would have been far more damaging.
DJI told reporters the issue has been 'resolved', though the dramatic episode underscores warnings from cybersecurity experts who have long warned that internet-connected robots and other smart home devices present attractive targets for hackers. Here the narrative becomes more complicated. According to The Verge's reporting,DJI spokesperson Daisy Kong told the publication the vulnerability had been fixed shortly before Azdoufal demonstrated that thousands of vacuums were still reporting in live. The company claims discovery of the problem was internal; Azdoufal's role was presented as supplementary.DJI stated it identified the vulnerability in late January and initiated remediation, with an initial patch deployed on February 8 and a follow-up update completed on February 10.
The compensation tells a different story.DJI will pay Azdoufal USD30,000 for one single discovery, according to an email he shared with The Verge, without specifying which discovery it's paying him for. This is not insignificant, though it raises questions about incentive structure. If DJI's public posture is that they discovered the flaw internally, why pay a researcher at all? The answer, perhaps, is that they knew better.
Yet the story does not end there. The broader vulnerability landscape remains troubling.Azdoufal claimed that additional weaknesses remain, including the ability for users to view their own DJI Romo video stream without the required security PIN. DJI has committed to addressing this within weeks, but weeks is a long time when camera feeds are exposed.The Verge agreed not to describe a second serious vulnerability while DJI works on a fix. That kind of embargo suggests a problem significant enough that public knowledge could create immediate danger.
From a centre-right perspective concerned with institutional accountability, this matters. Companies tasked with stewarding consumer data should face genuine consequences when they fail. DJI's initial reluctance to credit Azdoufal, the vague statements about "internal review", and the undisclosed nature of what the USD30,000 actually purchased all point toward an institution uncomfortable with transparency. The bonus was perhaps calculated as damage control rather than earned recognition.
But the progressive critique has force here too.The incident highlights ongoing security challenges within the smart home category, particularly for connected devices equipped with cameras and microphones.AI-powered coding tools, which make it easier for people with less technical knowledge to exploit software flaws, potentially risk amplifying those worries even further. This is not Azdoufal's fault; he used a tool responsibly. The concern is systemic. If Claude Code makes vulnerability discovery easier, it makes vulnerability exploitation easier too. DJI's poor authentication became a wider problem the moment internet-connected home surveillance devices became commonplace.
The pragmatic middle ground acknowledges both. Good security requires investment, expertise, and genuine testing. It cannot be assured through certifications alone.DJI continues to submit the Romo and its app to independent third-party security audits and claims it is committed to deepening engagement with the security research community. These moves are sensible. A company can do the right thing and still have failed in the first place. The real test comes now, in whether DJI patches the remaining vulnerabilities quickly and whether the smart home industry collectively learns something about the cost of poor design.