A Spanish software engineer has revealed a significant security vulnerability in smart vacuum cleaners after remotely gaining access to approximately 7,000 devices worldwide. The issue came to public attention after Sammy Azdoufal contacted the New York based technology publication The Verge to disclose how he was able to control multiple DJI Romo vacuums while experimenting with his own device. The incident has renewed scrutiny over security standards in the rapidly expanding smart home industry.
According to the report, Azdoufal was attempting to reverse engineer his recently purchased DJI Romo vacuum so he could operate it using a Playstation 5 gamepad. While testing a self developed remote control application, he discovered that when the app communicated with DJI’s servers, it triggered responses not just from his own device but from thousands of others connected to the same infrastructure. Roughly 7,000 vacuums across different regions began responding to his commands, effectively recognizing him as an authorized controller. Through this unintended access, Azdoufal was able to view live camera feeds from the devices and collected more than 100,000 messages transmitted by them. He could also use each robot’s IP address to estimate its approximate geographic location. Azdoufal stated that he had no intention of exploiting the devices and proactively informed The Verge about the vulnerability to ensure it was addressed responsibly. DJI later confirmed that the flaw had been resolved and publicly thanked him for reporting the issue.
The episode has sparked broader discussion among cybersecurity experts regarding systemic weaknesses in internet connected consumer products. Alan Woodward, professor of computer science at University of Surrey in England, noted that security is sometimes treated as secondary to speed of innovation in competitive technology markets. Manufacturers often prioritize rapid product development, affordability, and feature expansion, which can lead to overlooked safeguards. Woodward emphasized that software development has long demonstrated the risks of deploying products without comprehensive security testing. In this case, the vulnerability stemmed from device credentials that permitted broader access than intended, allowing one authenticated user to interact with other connected units. Experts say such flaws can be mitigated by requiring users to establish unique passwords during initial setup and by ensuring that engineers responsible for system architecture understand how different software components interact with servers and mobile applications.
The smart device sector has experienced significant growth in recent years, with research firm MarketsandMarkets projecting that the global smart home market could reach 139 billion dollars by 2032. While consumers are drawn to connected appliances for convenience and automation, these same features can expose private spaces to digital intrusion if not properly secured. Previous studies, including research published in Journal of Information Security and Applications, have documented vulnerabilities affecting lighting systems, locks, security cameras, baby monitors, and heating systems. Azdoufal, who is listed as head of artificial intelligence at a property management and travel group in Spain, later commented on social media that the experience earned him the nickname the vacuum guy and even resulted in offers of complimentary devices. The incident underscores ongoing concerns about privacy, device authentication, and responsible disclosure practices within the expanding Internet of Things ecosystem.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
