Sometimes a small experiment unexpectedly reveals something much bigger.

That’s exactly what happened when a developer tried controlling his robot vacuum using a PlayStation controller just for fun and during that process realized he wasn’t connected to only his own device, but to thousands of devices around the world.

The device in question was the DJI Romo, a smart home product from DJI. What started as a casual coding experiment turned into a serious wake-up call for smart home security.

It All Started With a Fun Idea

Sammy Azdoufal says he never intended to hack anything. He simply wanted to control his brand-new DJI Romo with a PS5 gamepad. Just a creative project. Just something fun to try.

But when his custom app connected to DJI’s servers, something unexpected happened. Instead of only his vacuum responding, nearly 7,000 robot vacuums from around the world replied back. He realized his own device was just a tiny drop in an ocean of connected devices.

What Kind of Data Was Visible?

This wasn’t just basic information.

Every few seconds, devices were “phoning home” and sending data. On his laptop, real-time messages started appearing that included:

• Serial numbers
• Which room was being cleaned
• Battery percentage
• Distance covered
• Charging status
• Obstacles encountered
• And even a 2D floor plan of the home

Within just nine minutes, he had tracked over 6,700 devices across 24 countries and collected more than 100,000 messages.

If DJI’s power stations were included, the number crossed 10,000 devices.

Just imagine one laptop, and data from thousands of homes appearing on screen.

Live Camera Access Was Also Possible

The most shocking part was live video access.

According to Azdoufal, he could:

• View live camera feeds
• Watch homes being mapped in real time
• See floor plans being generated
• Pull up device details using only a serial number

For verification, a review unit’s serial number was provided. With just that 14-digit number, he correctly identified the room being cleaned and the remaining battery level.

Within minutes, the accurate layout of the house appeared on screen.

In another demonstration, he accessed his own Romo’s camera feed without entering the security PIN and waved in front of the camera.

He insists this wasn’t brute force or password cracking. He simply extracted his own device’s private authentication token. The issue, according to him, was a flaw in backend permission validation that allowed visibility into other devices once authenticated.

Where Was the Technical Problem?

The issue centered around MQTT, a protocol commonly used in IoT devices.

Azdoufal’s explanation is straightforward:

Once you are authenticated into the system, and if proper topic-level access controls are not enforced, it may be possible to see messages from multiple devices.

He explains that TLS encryption protects data during transmission. But if backend permissions are not configured correctly, encryption alone is not enough.

In simple terms:

The pipe may be secure.

But if access control inside the system is weak, the real problem begins there. This wasn’t just an encryption issue it was a backend authorization issue.

DJI’s Response

After the issue was reported, DJI deployed patches.

First, they restricted live video and remote control access. Then a second update was rolled out to reportedly resolve the issue fully.

The company confirmed:

• There was a backend permission validation issue
• A two-stage patch was deployed
• Users did not need to take manual action
• Communication was encrypted using TLS
• European device data is stored on U.S.-based AWS servers

They also stated that real-world misuse was rare and mostly limited to security researchers testing devices.

However, the timeline raised some concerns, since devices were still visible during demonstrations even after the initial fix was claimed.

Why This Matters

Smart home devices connecting to the cloud is normal.

But when a device includes:

• A camera
• A microphone
• Indoor mapping capabilities

The expectations for security become much higher.

When people place a camera inside their home, they assume:

• Data is encrypted
• Backend access is restricted
• Employees cannot casually view footage
• Permissions are properly enforced

If there is a flaw in backend validation, encryption alone does not solve the problem.

This Isn’t an Isolated Case

This is not the first time smart home brands have faced security concerns.

• Ecovacs devices were reportedly hijacked, with attackers chasing pets and playing offensive audio.
• A flaw was reported in the Dreame X50 Ultra that could allow live camera viewing.
• Narval devices also had reported vulnerabilities.

In comparison, Samsung, LG, and Roborock received stronger security assessments.

This clearly shows that smart home security standards are still uneven across brands.

Transparency Matters

Security issues can happen. No system is 100% perfect.

The difference lies in:

• How quickly a company responds
• How honestly it communicates
• How clearly it acknowledges the issue

In the past, companies like wyze and Eufy faced backlash over transparency concerns.

Building trust is difficult and losing it is easy.

Do Robot Vacuums Even Need Microphones?

A genuine question that arises is:

Do robot vacuums really need microphones? They may support voice features or diagnostics, but they also increase privacy risks. A camera already captures the layout of your home. Adding audio capture makes the potential exposure even more sensitive. The debate between convenience and privacy will likely continue to grow stronger.

The Debate Around Public Disclosure

Some believe such issues should be handled quietly through structured bug bounty programs.

Azdoufal argues that:

He did not exploit the data.

He did not leak private footage.

He did not act for financial gain.

He was simply documenting his experiment.

He believes public visibility can push companies to fix issues faster.

What Can Users Learn?

There are clear takeaways from this incident:

1. Any internet-connected device carries potential risk.
2. Cloud backend security is critical.
3. Proper access control is essential.
4. Transparency builds trust.

Practical steps users can take:

• Keep firmware updated
• Use strong passwords
• Enable two-factor authentication
• Review privacy settings
• Choose camera and microphone devices carefully

Final Thoughts

Smart homes are the future. Devices are becoming more intelligent every day. But as intelligence increases, responsibility increases too.

This case may now be fixed, but it serves as an important reminder:

Security is not just about encryption.

Authorization, backend validation, and proper access control are equally important. And when a device is mapping your bedroom, even a small misconfiguration can feel deeply uncomfortable. Ironically, after everything, one thing did succeed the developer managed to control his DJI Romo using a PlayStation and Xbox controller.

 such issues should be handled quietly through structured bug bounty programs.

Azdoufal argues that:

He did not exploit the data.

He did not leak private footage.

He did not act for financial gain.

He was simply documenting his experiment. He believes public visibility can push companies to fix issues faster.

What Can Users Learn?

There are clear takeaways from this incident:

1. Any internet-connected device carries potential risk.
2. Cloud backend security is critical.
3. Proper access control is essential.
4. Transparency builds trust.

Practical steps users can take:

• Keep firmware updated
• Use strong passwords
• Enable two-factor authentication
• Review privacy settings
• Choose camera and microphone devices carefully

Final Thoughts

Smart homes are the future. Devices are becoming more intelligent every day. But as intelligence increases, responsibility increases too.

This case may now be fixed, but it serves as an important reminder: Security is not just about encryption.

Authorization, backend validation, and proper access control are equally important. and when a device is mapping your bedroom, even a small misconfiguration can feel deeply uncomfortable.Ironically, after everything, one thing did succeed the developer managed to control his DJI Romo using a PlayStation and Xbox controller.