A tech enthusiast accidentally uncovered a major security flaw affecting thousands of internet-connected robot vacuums, gaining access to detailed floor plans, live camera feeds, and audio streams. The discovery has renewed concerns about foreign-built smart devices operating inside American homes. The company involved says it has implemented fixes, but additional vulnerabilities reportedly remain.
According to reporting by Tom’s Hardware, Sammy Adoufal, an AI strategist, stumbled upon the flaw while attempting to modify his DJI Romo robot vacuum to work with a PlayStation controller. Adoufal used Claude Code to reverse engineer the device’s communication protocol with company servers. In the process, he extracted a private token from his own vacuum that unexpectedly granted him access to approximately 6,700 devices deployed globally.
The affected vacuums are manufactured by DJI under the Romo branding. Through the exposed credentials, Adoufal was able to access live servers operating in the United States, Europe, and China. The vulnerability allowed viewing of sensitive information, including interior floor plans, real-time video feeds, microphone audio, and remote control functionality.
Adoufal stated he did not bypass security systems or brute-force passwords. He said the flaw appeared to stem from improper access controls on the server side rather than from sophisticated hacking. Upon discovering the issue, he notified DJI instead of exploiting the access.
DJI responded by deploying updates to correct the primary vulnerability without requiring action from customers. However, Adoufal has indicated that other issues remain unresolved. Among them is the ability to stream video feeds from DJI Romo devices without entering a security PIN. He also reported that data collected by the devices was stored in plain text on company servers, raising additional security questions.
Security researchers have speculated about the possibility of a “backdoor,” though no official confirmation of such a feature has been provided. The incident highlights longstanding concerns over foreign-made smart home devices that collect sensitive data from inside private residences.
Similar privacy controversies have surfaced before. An investigation by MIT Technology Review found that gig workers contracted to review data from iRobot devices had access to private home images. In response, iRobot ended a partnership with Scale AI after reports that images were shared improperly.
As American households adopt more connected devices, cybersecurity experts continue to warn that convenience often comes with privacy risks. The latest incident underscores the need for strong data protection standards and transparency when foreign technology firms operate inside U.S. homes.
