Security Flaw Lets Tinkerer Accidentally Take Over An Army Of Robot Vacuums

The chilling story of a robot uprising has been told in countless books, movies, and other media through the years. But of all the machines that readers imagine could be the ones to rise up, robot vacuum cleaners, which are designed to clean your home and not rule it, might be at the bottom of the list. Don’t take a baseball bat to yours however, as the real threat isn’t the machine itself but vulnerabilities in the systems that control it.

These flaws affected DJI Romo robot vacuums and were discovered by Sammy Azdoufal, an independent engineer using AI, in February of 2026. Azdoufal was trying to build a custom remote app using a PS5 controller and accidentally stumbled upon a way to get floor plans, live feeds, and full remote capability. This gave him access to and control of 6,700 vacuum cleaners around the world. But this wasn’t technically a system breach, as the way in existed through improper server-side access controls and data handling.

Fortunately, instead of leading the robot army to world domination, Azdoufal instead contacted DJI. According to comments from a company spokesperson to The Verge, DJI had already been working on a fix before the issue was made public. That fix came in the form of system updates that were released to address the problem. However, there appeared to be security concerns that still remained at the time. This includes the ability to access video feeds without a security PIN, in addition to other issues.

The discovery of flaws in the DJI Romo robot vacuum cleaner system has apparently led to the company paying Sammy Azdoufal a $30,000 reward. According to The Verge, via Tom’s Hardware, Azdoufal received word about the reward through his email. However, DJI wasn’t clear about which specific discovery qualified for the payment. Additionally, DJI confirmed that a reward was indeed paid to a researcher but didn’t elaborate on Azdoufal or his findings.

DJI is actually a Chinese company specializing in drone manufacturing and didn’t begin selling vacuums until the fall of 2025. But before its robot floor cleaners made headlines, DJI faced pushback from the U.S. government dating back to 2017. At the time, the U.S. Army ordered service members to stop using the company’s drones due to cybersecurity concerns. But the Army went a step further, ordering all related applications and storage media to be removed as well. This was due to potential vulnerabilities discovered during the Army’s internal research.

In the following years, DJI was added to a Pentagon watch list as U.S. officials continued to raise national security concerns about the company. The fear was that DJI’s drones posed a risk to sensitive government information and facilities. Those concerns eventually led to restrictions from the Federal Communications Commission (FCC), which banned the import of new DJI models and drone components. In response, DJI filed a lawsuit in February of 2026, arguing that the FCC’s action placed unfair limits on its U.S. operations.