DJI Romo security flaw exposed thousands of homes to remote access: Report

Reportedly, DJI's Romo robot vacuum had a server flaw that exposed camera and audio access on thousands of devices worldwide; the company has since fixed the issue

A security issue in DJI’s Romo robot vacuum reportedly allowed remote access to thousands of devices around the world. According to The Verge, the flaw was discovered when a developer was trying to control his own vacuum using a PS5 controller. However, when his homemade app connected to DJI’s servers, it didn’t just communicate with his device. Around 7,000 vacuums across different countries responded. Instead of accessing only one machine, he was reportedly able to remotely control many of them. 

 

As The Verge reported, the problem was not due to broken encryption but because the company’s servers did not properly restrict access. DJI has now fixed the issue from its side. However, the incident has reportedly raised concerns about the safety and privacy of smart home devices.

 

What went wrong?

 

According to The Verge, the vulnerability was linked to how DJI’s Romo vacuums communicate with company servers using a protocol called MQTT. MQTT (Message Queuing Telemetry Transport) is a lightweight communication protocol commonly used in Internet of Things (IoT) devices. IoT devices include smart home products like robot vacuums, security cameras, and smart speakers that connect to the internet.

 

MQTT works by sending messages through a central server called a broker. Devices “subscribe” to specific channels, known as topics, to send and receive data. Ideally, each device should only access its own topic. However, The Verge reported that DJI’s system did not properly restrict topic access after authentication. 

How the researcher accessed vacuums

 

As reported by The Verge, once the researcher authenticated with a valid login token (a digital key that proves you are an authorised user), the server allowed access to far more data than intended. Instead of limiting access to a single vacuum, the system reportedly allowed subscription to thousands of devices’ MQTT topics. 

 

This meant the researcher could see device status and identifiers, 2D home floor maps, live camera feeds, audio streams. In some cases, this access reportedly bypassed the vacuum’s camera PIN protection. 

How widespread was the exposure?

 

According to The Verge, the researcher was able to see data from around 7,000 devices across more than 20 countries. This suggested that the issue was not limited to a small group of users. The scale of exposure reportedly highlights how cloud-based smart home systems can create large centralised risks if access controls are not carefully implemented.   

DJI’s response

 

The Verge reported that DJI rolled out backend fixes in early February to address the vulnerability. Because the issue was server-side, users did not need to update their devices manually. However, the report also noted that fixes were not immediately applied everywhere and that at least one additional vulnerability remained under review at the time of reporting. 

Why this matters for smart home users

 

This incident shows that even well-known brands can face security gaps in connected devices. While encryption protects data in transit, strong access control rules are equally important. When smart devices include cameras, microphones, and mapping tools inside private homes, weak server permissions can potentially expose sensitive personal information.