Spanish engineer accidentally "took over" 7,000 DJI robotic vacuum cleaners, exposing security vulnerabilities in smart home appliances

Smart home devices bring convenience to daily life, but they can also open security backdoors. Recently, a Spanish software engineer accidentally discovered that he could remotely control about 7,000 robot vacuum cleaners worldwide, view real-time footage, and collect large amounts of device data. As the smart home market is expected to reach $139 billion by 2032, the rapid industry growth raises a critical question: can security mechanisms keep up with innovation?

Attempting to modify a vacuum cleaner and unexpectedly finding a global vulnerability

According to tech media The Verge, this incident originated from an experiment by Spanish software engineer Sammy Azdoufal. He initially wanted to reverse engineer his newly purchased DJI Romo robot vacuum to control it via a PlayStation 5 controller.

However, after establishing a connection between his custom remote control app and DJI’s servers, an unexpected development occurred: not just one robot responded, but approximately 7,000 robot vacuums worldwide simultaneously “recognized him as the owner.”

Azdoufal found that he could not only view live footage and listen to audio through the device’s camera but also collected over 100,000 messages from different devices. Even more startling, he could estimate the devices’ approximate locations using their IP addresses.

This means that with the same access credentials, it’s possible to control other users’ devices on a large scale.

DJI responds: vulnerability patched, Azdoufal fears being sued

Notably, Azdoufal stated he had no malicious intent and did not deliberately hack into other devices. He proactively reported the vulnerability, hoping the issue would be acknowledged and fixed.

DJI later confirmed the problem had been resolved and publicly thanked Azdoufal on social platform X.

DJI said, “Your responsible feedback is extremely valuable to us.”

Azdoufal also humorously responded on X, calling himself “the vacuum guy,” joking that many people offered him free robot vacuums.

Nevertheless, due to media coverage, Azdoufal is concerned that DJI might find reasons to sue him.

Security experts warn: security of smart devices is often overlooked

In fact, this is not an isolated case. Alan Woodward, a computer science professor at the University of Surrey in the UK, pointed out that many smart product manufacturers prioritize “innovation” and “market capture” during early development, with security becoming an afterthought.

Woodward explained that the industry often adopts a “move fast, break things” mentality, aiming to launch cheaper, more feature-rich products. However, early software development has shown that neglecting security design ultimately leads to vulnerabilities.

He emphasized that security issues with smart devices are not just due to a single software component error but stem from overall system design, including:

• How the device’s software interacts with cloud servers
• How servers connect with mobile applications
• Whether authentication mechanisms effectively isolate different users

A flaw in any of these areas can create a chain of risks.

Explosion of the smart home market and rising risks

According to research firm MarketsandMarkets, the global smart home market is projected to reach $139 billion by 2032. Devices such as smart lighting, locks, surveillance cameras, baby monitors, and heating systems are rapidly infiltrating household life.

However, a study published in the Journal of Information Security and Applications pointed out that hackers have successfully taken control of:

• Lighting systems
• Electronic door locks
• Security cameras
• Baby monitors
• Heating systems

The incident with the robot vacuum is just one example. As more devices connect to the internet, the potential attack surface expands.

Root causes: default credentials and insufficient access isolation

In this vacuum incident, Azdoufal was able to gain control of other devices because his credentials could access other robots.

Woodward recommended that companies enforce users to set unique passwords during initial setup instead of using uniform or derivable default credentials. Additionally, development teams must fully understand how their systems could be compromised, rather than focusing only on individual modules.

He stressed that security is not just a part of coding but a core aspect of overall product design culture.

Consumers also need to stay vigilant

Besides corporate responsibility, consumers should carefully evaluate the privacy risks associated with smart devices.

Woodward stated, “Just because you can do something doesn’t mean you should.”

While smart appliances make life more convenient, devices with cameras, microphones, and location tracking capabilities pose significant privacy risks if misused, with consequences far beyond expectations.

This article “Spanish engineer accidentally ‘takes over’ 7,000 DJI robot vacuums, security flaws in smart home devices” originally appeared on Chain News ABMedia.