- An engineer accidentally discovered remote access to nearly 7.000 smart vacuum cleaners with cameras and microphones.
- The flaw in the backend and MQTT permissions allowed viewing cameras, activating microphones, and obtaining maps of homes.
- Artificial intelligence tools facilitated the technical analysis and detection of the gap.
- The case calls into question the safety and design of the 7000 series vacuum cleaners and the entire smart home ecosystem.
Which It started as a home experiment with an internet-connected robot vacuum cleaner It ended up becoming one of the most striking security failures of recent years in smart home devices. A software engineer, robotics enthusiast, and resident of Barcelona, He discovered that he could interact not only with his own DJI Romo, but with thousands of similar units in different countries., due to an implementation error in the cloud infrastructure of this model.
The DJI Romo, a robotic vacuum cleaner with a permanent connection to remote servers and home mapping capabilities, is designed to integrate into home automation ecosystems via mobile apps. However, when analyzing how communication between device and cloud was managed —including session authentication and authorization— The researcher found that the segmentation between users was insufficient..
From hobby to global security failure
The case began innocently enough: The engineer was trying to control his DJI Romo with a PlayStation 5 controllerwith the aim of exploring new forms of interaction for domestic robots. With experience in reverse engineering and network protocol analysis, used diagnostic tools andIn some cases, AI support to examine the communication logic between the robot app and remote services.
What began as simple status queries and movement commands ended in a disturbing discovery: by subscribing to certain data streams, He began to receive information that was not limited to his own unit, but It came from multiple DJI Romo robots distributed across different countries. This suggested that the cloud access control logic was not correctly applying restrictions based on user or credentials.
What data was exposed?
Beyond the number of potentially affected units, What worried the cybersecurity community was the type of information these devices handle.Robotic vacuum cleaners like the DJI Romo They generate detailed maps of the interior of homes to optimize cleaning routes, which in theory is a highly sensitive data from the perspective of domestic privacy.
In some modelsAlso additional sensors are available —such as cameras or microphones originally intended for navigation or obstacle detection functions— that They could pose a greater risk if an attacker gains access to them without adequate protection.
How did the failure originate?
According to the researcher himself, the flaw did not lie in the encryption of communications, since these could be encrypted during transit, but in the platform's authorization logic: once inside the infrastructure, There were insufficient mechanisms to guarantee that an authenticated token or session would only have access to the robot data of a specific user..
This allowed, in a laboratory environment controlled by the analyst, subscribe to multi-unit data streams and receive status events from robots not registered by it.
What does this mean for connected homes?
After confirming the ruling, The engineer chose not to automate or exploit the vulnerability on a massive scale and followed the principles of responsible disclosure.: contact the manufacturer first and allow reasonable time for a solution to be developed before making the problem public in general.
According to statements and subsequent publications by the researcher himself, The company acknowledged a problem with access validations and stated that it had deployed fixes in its backend. to strengthen the separation of permissions between users and limit the exposure of third-party data.
There is no public evidence that the flaw has been maliciously exploited by third parties, although The mere fact that it was relatively easy to detect has generated concern in the home security community.
This incident is a reminder that, in a rapidly expanding market of connected devices (from vacuum cleaners to cameras and home assistants), Security and privacy must be built into the design.Detailed maps of a home, for example, can reveal more than meets the eye: from room layout to space usage habits.
Furthermore, the case It illustrates how modern analytical tools, including those based on artificial intelligence, can accelerate fault identification.That same potential that helps improve software development can also serve malicious actors if robust designs and independent audits are not adopted.
In a European context with strict data protection regulations such as the GDPR, these types of incidents It reinforces the need for more rigorous audits and controls.as well as a greater transparency from manufacturers and cloud service providers.
I am a technology enthusiast who has turned his "geek" interests into a profession. I have spent more than 10 years of my life using cutting-edge technology and tinkering with all kinds of programs out of pure curiosity. Now I have specialized in computer technology and video games. This is because for more than 5 years I have been writing for various websites on technology and video games, creating articles that seek to give you the information you need in a language that is understandable to everyone.
If you have any questions, my knowledge ranges from everything related to the Windows operating system as well as Android for mobile phones. And my commitment is to you, I am always willing to spend a few minutes and help you resolve any questions you may have in this internet world.