DJI Romo Robot Vacuum Security Vulnerabilities
On March 19, 2026, a significant security flaw in the DJI Romo robot vacuum allowed unauthorized access to live camera feeds, microphone audio, and home mapping data for thousands of devices, including DJI Power portable battery stations, due to authentication tokens not being scoped to individual devices. As of February 19, 2026, primary vulnerabilities are patched, but secondary issues, including a PIN bypass for camera access, remain unaddressed, with DJI promising further fixes. Security researcher Sammy Azdoufal received a $30,000 bug bounty on March 7, 2026, for discovering the critical flaw that exposed approximately 7,000 devices to potential remote access. DJI faces ongoing scrutiny regarding data security and privacy, with concerns about potential data transmission to China. DJI stated on February 14, 2026, that the security issue had been patched with two updates and claimed no evidence of malicious exploitation.
Timeline
Want updates on this thread?
Track this story2026
13 updates
2026
13 updatesA significant security flaw in the DJI Romo robot vacuum allowed unauthorized access to live camera feeds, microphone audio, and home mapping data for thousands of devices. The vulnerability, which also affected DJI Power portable battery stations, stemmed from authentication tokens not being scoped to individual devices. DJI faces ongoing scrutiny regarding data security and privacy, with concerns about potential data transmission to China.
DJI has paid a $30,000 bug bounty to security researcher Sammy Azdoufal for discovering a critical flaw in its Romo robot vacuums. The vulnerability exposed approximately 7,000 devices to potential remote access, including cameras. Azdoufal discovered the flaw accidentally while attempting to control his own Romo vacuum.
via The Tech Buzz
As of the current date, primary vulnerabilities are patched, but secondary issues, including a PIN bypass for camera access, remain unaddressed, with DJI promising further fixes [1, 2, 12].
via theverge.com
DJI indicates that remaining security issues will be addressed "within weeks" [3, 12].
via theverge.com
Further reporting by outlets like TipRanks and Android Headlines emphasizes the privacy implications and the potential damage to DJI's reputation, especially given previous security scrutiny [3, 4].
via theverge.com
It is reported that the vulnerability allowed access not only to Romo vacuums but also to DJI Power portable battery stations sharing the same infrastructure [1, 12].
via theverge.com
Multiple technology news outlets, including Android Authority and Malwarebytes, publish in-depth analyses of the DJI Romo vulnerability, explaining the technical cause (MQTT broker access controls) and the extent of data exposure [1, 2, 8, 12].
via theverge.com
TechBriefly reports on DJI's patch deployment but notes Azdoufal's claim that secondary vulnerabilities remain unaddressed [5].
via theverge.com
DJI states that the security issue has been patched, with remediation deployed in two updates, and claims no evidence of malicious exploitation [5, 9].
via theverge.com
The Verge publishes its initial report detailing the DJI Romo vulnerability, highlighting Sammy Azdoufal's discovery and the potential for remote access to approximately 7,000 units globally [7, 9, 11].
via theverge.com
DJI deploys a second automatic patch, completing the initial fix for the main wildcard access issue affecting the Romo platform [1, 4, 5, 9, 11].
via theverge.com
DJI deploys the first automatic patch to address the primary vulnerability in its Romo robot vacuums, indicating awareness of the issue [1, 5, 9, 11, 12].
via theverge.com
Sammy Azdoufal discovers a critical security vulnerability in DJI's Romo robot vacuums while attempting to control his unit with a PS5 controller and an AI-assisted custom app, gaining access to thousands of devices [1, 2, 3, 6, 7, 8, 9, 12].
via theverge.com
Story began · 1 month ago