A routine tech experiment turned into a major cybersecurity incident after a security researcher accidentally uncovered a vulnerability affecting thousands of internet connected robot vacuums. What began as a simple attempt to control a household cleaning device with a gaming controller quickly escalated into the discovery of a network flaw that could have exposed private home camera feeds around the world.
The issue involved DJI’s Romo robot vacuum line and was uncovered by security researcher Sammy Azdoufal, who was experimenting with ways to steer his device using a PlayStation controller. Instead of just modifying controls, he stumbled upon an unsecured network architecture that appeared to expose access to roughly 7,000 DJI robots, according to a report by TechBuzz.
The vulnerability raised serious privacy concerns because the affected devices are equipped with cameras used for indoor navigation. Unauthorized access could theoretically have allowed outsiders to view live video feeds inside private homes. While there is no evidence that the flaw was widely exploited, the scale of the exposure highlighted the risks associated with rapidly expanding consumer Internet of Things devices.
The discovery gained international attention after media outlets reported on the findings during Valentine’s Day news cycles. Early coverage focused on two key uncertainties: whether DJI would compensate the researcher and how quickly the company would address the security gaps. The $30,000 payout answers one of those questions and signals a more cooperative stance toward independent researchers.
DJI’s relationship with the cybersecurity community has faced scrutiny in the past. A widely discussed dispute in 2017 involving researcher Kevin Finisterre damaged trust between the company and vulnerability analysts after disagreements over disclosure practices and compensation. That episode left lingering concerns about how DJI handled responsible reporting of system weaknesses.
This case appears to show a shift in approach. Reports indicate DJI had already begun addressing related security weaknesses before Azdoufal demonstrated the full scope of potential access. By compensating the researcher and publicly acknowledging the issue, the company appears to be reinforcing its commitment to established bug bounty practices used across the technology sector.
The incident also underscores broader challenges in securing connected home devices. Modern robot vacuums rely on cloud connectivity for remote control, automated scheduling, mapping, and software updates. However, each connected feature introduces potential entry points for attackers. Weak network protections can turn everyday appliances into unexpected security liabilities.
Industry analysts note that bug bounty payments for vulnerabilities of this scale typically fall within similar compensation ranges. Flaws capable of exposing thousands of devices equipped with cameras are considered high severity because they present both privacy and reputational risks for manufacturers.
As DJI continues expanding beyond its core drone business into consumer robotics, the importance of strong cybersecurity safeguards is increasing. Devices operating inside private homes demand stricter protections than many outdoor technologies, and security failures can quickly erode user confidence.
For now, the vulnerability is being patched, the researcher has been compensated, and DJI has an opportunity to demonstrate improved transparency in handling future security reports.