The story of how Sammy Azdoufal accidentally commandeered 7,000 robot vacuums across 24 countries is genuinely funny. The security architecture that made it possible is genuinely not.
Azdoufal wanted to control his DJI Romo robot vacuum with a PS5 controller - a reasonable enough project for a hobby coder. Using Claude Code AI, he reverse-engineered DJI's mobile app, extracted his own authentication token, and built a custom client to talk to DJI's servers. When he connected, approximately 7,000 robot vacuums across 24 countries began responding to his commands.
As Malwarebytes reports, the core vulnerability wasn't a sophisticated exploit. It was an architectural failure so basic that it would fail a first-year security review: DJI's MQTT message broker had no meaningful access controls. Once you authenticated with a valid device token - any device token, not necessarily yours - you could access unencrypted communications from every other device on the same broker.
Let's be precise about what Azdoufal could access: live camera feeds from vacuums in people's homes, onboard microphone recordings, and floor plans of private residences. He demonstrated the scope by locating a specific journalist's robot vacuum, verifying its activity and physical location. The breach extended beyond vacuums to DJI's Power battery stations, which share the same infrastructure.
This is the IoT security nightmare that researchers have been warning about for a decade, except in this case the discovery was accidental and the discoverer was responsible rather than malicious. The next person to find this vulnerability might not be a hobby coder building a PS5 controller interface.
The DJI response made things worse. The company initially claimed fixes had been implemented before Azdoufal publicly demonstrated the vulnerability. He later identified remaining unpatched vulnerabilities, including a PIN bypass affecting camera feeds. Claiming a fix before it's verified is exactly the wrong response to a responsible disclosure.
The broader lesson here is structural. The IoT industry has grown faster than its security practices. Manufacturers compete fiercely on features and price, and security engineering is expensive. The incentive structure doesn't reward getting security right - it rewards shipping products quickly. The consumer buying a DJI robot vacuum isn't buying a "secure connected device." They're buying a vacuum that they can control with their phone.
What does responsible IoT security actually look like? It means proper access control on message brokers, so that authenticated device A cannot receive messages intended for device B. It means encrypted communications. It means threat modeling that includes "what if an attacker gets a valid authentication token?" These aren't exotic requirements - they're basic network security principles.
The technology to build secure IoT devices exists. It's not particularly expensive. What's missing is the regulatory requirement to do so. Until IoT security failures carry real consequences for manufacturers - liability, mandatory recalls, market access restrictions - the economics of cheap and fast will continue to win over expensive and secure. And hobby coders will keep accidentally discovering that they control an army of your appliances.
