The story of how Sammy Azdoufal accidentally commandeered 7,000 robot vacuums across 24 countries is genuinely funny. The security architecture that made it possible is genuinely not.
Azdoufal wanted to control his DJI Romo robot vacuum with a PS5 controller - a reasonable enough project for a hobby coder. Using Claude Code AI, he reverse-engineered DJI's mobile app, extracted his own authentication token, and built a custom client to talk to DJI's servers. When he connected, approximately 7,000 robot vacuums across 24 countries began responding to his commands.
As Malwarebytes reports, the core vulnerability wasn't a sophisticated exploit. It was an architectural failure so basic that it would fail a first-year security review: DJI's MQTT message broker had no meaningful access controls. Once you authenticated with a valid device token - any device token, not necessarily yours - you could access unencrypted communications from every other device on the same broker.
Let's be precise about what Azdoufal could access: live camera feeds from vacuums in people's homes, onboard microphone recordings, and floor plans of private residences. He demonstrated the scope by locating a specific journalist's robot vacuum, verifying its activity and physical location. The breach extended beyond vacuums to DJI's Power battery stations, which share the same infrastructure.
This is the IoT security nightmare that researchers have been warning about for a decade, except in this case the discovery was accidental and the discoverer was responsible rather than malicious. The next person to find this vulnerability might not be a hobby coder building a PS5 controller interface.
The DJI response made things worse. The company initially claimed fixes had been implemented before Azdoufal publicly demonstrated the vulnerability. He later identified remaining unpatched vulnerabilities, including a PIN bypass affecting camera feeds. Claiming a fix before it's verified is exactly the wrong response to a responsible disclosure.
The broader lesson here is structural. The IoT industry has grown faster than its security practices. Manufacturers compete fiercely on features and price, and security engineering is expensive. The incentive structure doesn't reward getting security right - it rewards shipping products quickly. The consumer buying a DJI robot vacuum isn't buying a They're buying a vacuum that they can control with their phone.
