A coder’s attempt to steer his robot vacuum with a PlayStation controller has uncovered a sweeping security flaw that exposed nearly 7,000 internet-connected devices across 24 countries.
It happened with live camera feeds, microphones, and home mapping data.
Sammy Azdoufal, a self-described tinkerer, said he simply wanted to control his DJI Romo robot manually using a PS5 controller. “I thought it would be fun to drive it around myself,” he explained. Instead, his experiment revealed a glaring weakness in DJI’s IoT infrastructure.
Using Anthropic’s Claude Code AI assistant, Azdoufal reverse-engineered the communication protocol used by his vacuum. He decompiled DJI’s mobile app, extracted his authentication token, and built a custom client to interact directly with DJI’s servers.
As soon as his app connected to DJI’s MQTT message broker, thousands of devices responded.
“I wasn’t expecting anything beyond my own vacuum,” Azdoufal said. “But suddenly I could see traffic from devices all over the world.”
According to Azdoufal, he could access live camera streams and onboard microphones from other users’ vacuums. He could also generate accurate floor plans of homes he had never visited.
READ ALSO: https://modernmechanics24.com/post/startup-turns-pigeon-into-cyborg-drones/
With only a 14-digit serial number, he located a journalist’s system, confirmed it was cleaning a living room at 80% battery, and recreated a digital map of the property; all from another country.
The vulnerability stemmed from a basic backend misconfiguration. DJI’s MQTT message broker lacked topic-level access controls. Once authenticated with a single device token, users could view traffic from other devices in plaintext.
DJI’s portable Power battery stations, which operate on the same MQTT infrastructure, also appeared in the data stream. These home backup generators can scale up to 22.5kWh and are marketed as emergency power solutions.
What makes this discovery particularly notable is how it happened. Azdoufal relied on AI coding tools to carry out tasks that previously required advanced reverse-engineering skills.
He used Claude Code to analyze the mobile app, interpret communication protocols, and automate client creation. Security analysts warn that this signals a broader shift.
WATCH ALSO: https://modernmechanics24.com/post/youtuber-bottles-lightning/
AI-assisted development tools are dramatically lowering the barrier to entry for offensive cybersecurity research. The pool of individuals capable of probing IoT systems has expanded significantly. It raised concerns about security through obscurity as a defense strategy.
This is not the first robot vacuum security breach. In 2024, hackers took control of Ecovacs Deebot X2 units in several US cities. They broadcast offensive messages through speakers and chased pets. The investigation then found that PIN protections were validated only within the app, not by the server or the device.
South Korea’s consumer watchdog also tested six major brands last year. Samsung and LG performed well, but three Chinese-made models showed extreme vulnerabilities. The Dreame X50 Ultra allowed remote camera activation, and security researcher Dennis Giese later reported a TLS flaw in Dreame’s app to US authorities.
Initially, DJI spokesperson Daisy Kong said that the flaw had already been fixed. That statement came roughly 30 minutes before Azdoufal demonstrated that thousands of vacuums were still transmitting data live.
DJI later issued a fuller statement acknowledging a backend permission-validation issue and confirmed that patches were deployed on February 8 and 10.
The company said TLS encryption was always enabled.
READ ALSO: https://modernmechanics24.com/post/chinas-nantianmen-project-sparks-big/
However, Azdoufal countered that encryption protects the connection itself, not improperly authorized data inside it. He also claimed additional issues remain unresolved, including a potential PIN bypass for camera feeds.
The EU’s Cyber Resilience Act will mandate security-by-design standards for connected products by December 2027, with penalties of up to €15 million. The UK’s PSTI Act, effective since April 2024, bans the use of default passwords on smart devices. The US Cyber Trust Mark remains voluntary.
Enforcement still remains uncertain when manufacturers operate across jurisdictions.
Many LiDAR-based robot vacuums navigate effectively without video capability. For devices with cameras, covering the lens when not in use adds an extra layer of protection.
Azdoufal’s playful coding experiment has become a warning that AI tools democratize technical capabilities, that IoT security weaknesses are no longer hidden behind complexity, and that the stakes are in people’s homes.
