Engineer accidentally controlled 7,000 robot vacuums worldwide

Software engineer Sammy Azdoufal wanted to control his robot vacuum with a PS5 gamepad. Shortly after pursuing that goal, he discovered he could access more than 7,000 DJI Romo vacuums in about two dozen countries, including camera feeds and floor plans from strangers' homes.

He used Claude Code to analyze traffic between his newly purchased DJI Romo and the manufacturer's servers. A security token exposed to his app provided access not just to his device but to all DJI Romos worldwide. Every three seconds his app collected serial numbers and status updates — cleaning routes, charge states and obstacle reports — and could activate on-board cameras and microphones, reconstruct 2D floor plans from spatial data and approximate household locations from IP addresses.

dji romo, robot vacuum, sammy azdoufal, security token, camera feeds, floor plans, claude code, serial numbers, ip addresses, manufacturer servers