Sometimes, the biggest security discoveries don’t come from state-sponsored hacker groups or underground syndicates. Sometimes, they happen because a guy just wants to drive his vacuum cleaner with a video game controller.
That is essentially what happened to Sammy Azdoufal, a French software engineer who recently found himself $30,000 richer after stumbling upon a massive vulnerability in DJI’s new Romo robot vacuum. Azdoufal wasn’t hunting for bugs; he was simply trying to rig up a PlayStation 5 gamepad to steer his device around his apartment. Instead, he inadvertently unlocked a digital door to thousands of homes across the globe.
This story isn’t just about a glitch. It marks a pivotal moment in how we think about smart home privacy, the role of AI in coding, and how even giants like DJI are forced to evolve their approach to security.
How did a PlayStation controller lead to a massive breach?
It sounds like the setup to a joke, but the methodology highlights a growing trend in cybersecurity: the lowering barrier to entry. Azdoufal used Anthropic’s AI coding assistant, "Claude Code," to help him reverse-engineer the API of the DJI Romo. He wanted to understand how the vacuum communicated so he could map those commands to his PS5 controller.
While digging through the code with the help of the AI, he discovered a critical backend permission validation error. The system relied on an MQTT-based protocol—a common standard for IoT devices—but it failed to properly segregate user access.
In simple terms, once Azdoufal had the token for his own device, the system didn’t check if he was only authorized to access that specific unit. That single user token effectively functioned as a "master key." When he pinged the server, it wasn’t just his vacuum that responded. According to reports, approximately 7,000 devices across 24 countries became visible to him.
"I found my device was just one in an ocean of devices," Azdoufal said regarding the discovery. It’s a stark reminder that as we fill our homes with internet-connected sensors, the line between convenience and exposure is often just one bad line of code away.
What data could the hacker actually see?
This wasn’t a theoretical vulnerability where encrypted gibberish was exposed. The access Azdoufal gained was terrifyingly comprehensive. By exploiting this flaw, he could access live camera feeds, listen in through the microphone, view 2D floor plans of users’ homes, check battery status, and even pinpoint device locations via IP addresses.
To prove the severity of the flaw, Azdoufal teamed up with The Verge. Using only the serial number of a reporter’s review unit, he was able to gain access to the device. As The Verge noted, "It wasn’t just one vacuum cleaner that replied. Roughly 7,000 of them, all around the world, began treating Azdoufal like their boss."
This incident lands at a difficult time for the smart home industry. With recent similar vulnerabilities exposed in Ecovacs Deebot vacuums in 2024, consumer trust in "cameras on wheels" is already fragile. The Romo, launched globally in late 2025 with premium LiDAR and AI features, was supposed to be DJI’s big entrance into a new market. Instead, it has highlighted the persistent risks of Chinese-manufactured IoT devices in Western markets, a topic already heated by regulatory debates.
Why is DJI’s $30,000 payout significant for the industry?
Perhaps the most surprising part of this story isn’t the hack itself, but DJI’s reaction to it. The drone giant agreed to pay Azdoufal a $30,000 bug bounty. For those who have followed DJI’s history, this is a massive shift in tone.
Back in 2017, security researcher Kevin Finisterre walked away from a similar bounty program after DJI threatened him with legal action under the Computer Fraud and Abuse Act (CFAA). That incident left a stain on DJI’s reputation within the security community. By contrast, this time DJI moved swiftly. They validated the finding and deployed automatic firmware patches on February 8 and 10, 2026, to close the breach.
In a statement, DJI confirmed, "The issue was addressed through two updates… The fix was deployed automatically, and no user action is required." Azdoufal, for his part, seemed less interested in the payout than the resolution. "People stick to the bug bounty program for money. I don’t care. I just want this fixed," he stated.
The Bottom Line
This incident proves that the intersection of AI coding tools and IoT is a double-edged sword; tools like Claude Code make it easier for hobbyists to build cool integrations, but they also make it trivial to uncover catastrophic security flaws that might have previously required expert-level skills. While DJI deserves credit for patching this quickly and paying the bounty—a clear attempt to rehabilitate their image after the 2017 Finisterre debacle—the fact that a simple backend validation error exposed 7,000 homes is inexcusable for a hardware giant of this caliber. Ultimately, consumers are the ones gambling their privacy on the hope that manufacturers verify their code better than an AI-assisted engineer with a gamepad.
![Illustration related to DJI Romo Robot Vacuum Hack: The $30k PS5 Exploit [Explained]](https://bytewire.press/wp-content/uploads/bytewire-images/2026/03/dji-romo-vacuum-hack-bounty-30k-6f67a318de.webp)
![Diagram related to DJI Romo Robot Vacuum Hack: The $30k PS5 Exploit [Explained]](https://bytewire.press/wp-content/uploads/bytewire-images/2026/03/dji-romo-vacuum-hack-bounty-30k-b63225485b.webp)
