Your Robot Vacuum Is Watching: How a PlayStation Experiment Exposed the Alarming State of Consumer Tech Security

Sammy Azdoufal just wanted to have fun with his robot vacuum. The French programmer had spent $2,000 on a DJI Romo — one of the most advanced robotic vacuums on the market, complete with onboard cameras, microphones, and AI-powered navigation. His idea was simple: use an AI coding assistant to reverse-engineer the vacuum's communication protocol so he could steer it around his apartment with a PlayStation 5 controller, like driving a car in a video game [1].

What happened next became one of the most disturbing consumer tech security stories of the year. When Azdoufal's homebrew application connected to DJI's servers, it didn't just reach his vacuum. Roughly 7,000 robot vacuums across 24 countries started answering back [2]. With a few more keystrokes, he could watch live camera feeds, listen through onboard microphones, and generate detailed 2D floor plans of strangers' private homes — all from another country.

"I just want this fixed," Azdoufal told reporters [3]. DJI eventually agreed, patching the vulnerability and paying him a $30,000 bug bounty. But the incident is far more than a quirky tech story about a PlayStation controller and a vacuum cleaner. It is a window into a systemic security crisis that extends across the entire consumer technology landscape — one that affects billions of devices sitting in homes, pockets, and on wrists around the world.

The Anatomy of a Catastrophic Flaw

The technical root cause of the DJI Romo vulnerability was startlingly basic. The vacuums communicate with DJI's cloud using MQTT, a lightweight messaging protocol standard in IoT devices. Properly configured, MQTT servers should enforce strict topic-level access controls — ensuring that each authenticated device can only see its own data streams [4].

DJI's implementation did no such thing. Once Azdoufal authenticated with a single valid device token, the server treated him as the effective owner of every active Romo unit on the network [4]. Security researchers later classified this as a textbook case of Broken Object Level Authorization (BOLA), one of the most common and well-documented API security flaws [5].

The exposed data was staggering. Azdoufal captured more than 100,000 MQTT messages from approximately 6,700 vacuums. Including other DJI products sharing the same infrastructure, the exposed inventory surpassed 10,000 devices [5]. To demonstrate the severity, he pinpointed a journalist's specific vacuum by its 14-digit serial number, confirmed it was cleaning the living room at 80% battery, and produced an accurate floor plan of their home — all from a different country [1].

Perhaps most troubling: roughly half an hour after DJI issued a statement claiming the vulnerability was resolved, Azdoufal reported he could still control thousands of vacuums remotely [6]. Additional weaknesses remained, including the ability to view camera streams without the required security PIN.

DJI eventually deployed server-side patches on February 8 and 10, 2026, requiring no firmware updates to the robots themselves [4]. The company confirmed a $30,000 bug bounty payment to Azdoufal in March 2026.

A Pattern, Not an Anomaly

The DJI Romo incident might seem extraordinary, but it fits neatly into an escalating pattern of consumer tech security failures — particularly involving robot vacuums.

Source: GDELT Project

Data as of Mar 8, 2026CSV

In October 2024, Ecovacs Deebot X2 vacuums were hijacked across multiple U.S. cities in one of the most viscerally disturbing IoT security incidents on record. Hackers commandeered the devices to shout racial slurs through their onboard speakers and chase family pets around homes [7]. In one case, Minnesota lawyer Daniel Swenson's vacuum was taken over while his family was home. In Los Angeles, a hacked Deebot X2 chased a dog while projecting offensive language. In El Paso, Texas, another unit screamed obscenities at its owner until it was physically unplugged [8].

The Ecovacs vulnerability, disclosed at the DEF CON security conference by researchers Dennis Giese and Braelynn Luedtke, was equally fundamental. Anyone with a smartphone could connect to an Ecovacs robot via Bluetooth from up to 450 feet away during a brief window, injecting commands that granted full control [9]. The PIN protecting the vacuum's camera feed was checked only on the client side — meaning it could be bypassed entirely by anyone communicating directly with the server, a security oversight that security professionals describe as almost negligent [9].

Ecovacs promised fixes for November 2024, but the damage — to consumer trust, to the people who were harassed in their own homes — was already done [10].

The Scale of the Smart Home Attack Surface

These incidents exist within a vastly larger problem. The number of connected IoT devices globally has grown to an estimated 21.1 billion in 2025, up 14% from the prior year [11]. Smart home household penetration has reached 77.6% in the United States, with the global market valued at $147.5 billion [12]. By 2026, global smart home device shipments are projected to approach 1.25 billion units annually [12].

Each of those devices is a potential entry point. According to a joint study by Bitdefender and Netgear, 13.6 billion attacks were detected on consumer IoT devices between January and October 2025 alone — an average of roughly 820,000 attacks per day globally [13]. The average connected household, with approximately 22 IoT devices, faces nearly 30 cyberattacks every 24 hours [14].

Source: IoT Analytics / Bitdefender / Netgear / Statista

Data as of Mar 8, 2026CSV

The underlying vulnerabilities are well-documented and persistently unaddressed. An estimated 20% of IoT devices remain protected only by default login credentials, while 33% of devices globally run outdated firmware containing known, exploitable security flaws [13]. Sixty percent of IoT breaches trace back to unpatched firmware [15].

Beyond Vacuums: The Broader Consumer Tech Security Crisis

Robot vacuums have become the poster children for IoT insecurity, but the crisis extends across every category of consumer technology.

Smart TVs and streaming devices: In July 2025, Google, Human Security, and Trend Micro disclosed BadBox 2.0, the largest known botnet of internet-connected televisions. More than 10 million smart TVs, digital projectors, in-car infotainment systems, and digital picture frames had been compromised and recruited into a massive botnet [15].

IoT data exposure: A misconfiguration at Mars Hydro, a grow-light manufacturer, exposed 2.7 billion IoT device records — one of the largest data exposures in IoT history [15].

Streaming platforms: Roku experienced two breaches, with the first in March 2024 compromising 15,000 user accounts and the second in April resulting in 576,000 leaked accounts [15].

Smart cameras and doorbells: A Ring camera in a child's bedroom was accessed by an intruder in a widely publicized incident, while in Italy, attackers exploited insecure IP cameras to stream footage from private homes and retail fitting rooms across Telegram [14].

Emerging attack vectors: A software flaw known as React2Shell (CVE-2025-55182) has been actively exploited in cyberattacks against connected home devices, representing a new class of vulnerability affecting multiple manufacturers' products [16].

The consequences are not theoretical. A single vulnerable device can serve as a beachhead for accessing an entire home network, including computers, phones, and financial accounts. The 22.2 terabit-per-second distributed denial-of-service attack recorded in 2025 — one of the largest ever — was fueled entirely by a botnet of compromised consumer routers and IoT devices [14].

The AI Dimension: A New Threat Multiplier

The DJI Romo incident introduced a new wrinkle to the consumer tech security equation: the role of AI tools in vulnerability discovery. Azdoufal used Anthropic's Claude Code, an AI coding assistant, to decompile DJI's mobile app, understand its communication protocol, extract his authentication token, and build the custom client that ultimately exposed the flaw [1].

The implications cut both ways. AI tools are lowering the barrier to security research, enabling hobbyists and ethical hackers to discover vulnerabilities that might otherwise remain hidden. But they are also lowering the barrier for malicious actors. What once required specialized expertise — decompiling apps, reverse-engineering protocols, crafting exploit code — can now be accomplished with natural-language prompts to an AI assistant.

"This is a preview of what the next generation of cyberattacks will look like," the International Association of Privacy Professionals noted in an analysis of the incident [17]. The concern is not that Azdoufal had malicious intent — he clearly did not. The concern is that the same techniques, powered by increasingly capable AI tools, will be used by those who do.

The Regulatory Response: Too Little, Too Late?

Governments are slowly responding to the crisis, though critics argue the regulatory framework remains years behind the threat landscape.

The UK's Product Security and Telecommunications Infrastructure (PSTI) Act, which took effect in April 2024, became the world's first law banning default passwords on consumer smart devices [18]. It requires manufacturers to provide a vulnerability disclosure contact and state the minimum period for security updates. Non-compliance can result in fines of up to £10 million or 4% of global annual revenue.

The European Union's Cyber Resilience Act (CRA) takes a broader approach, mandating security-by-design for virtually all products with digital elements sold in the bloc [19]. The CRA is being phased in from September 2026 to December 2027, with fines up to €15 million for non-compliance. The EU's Radio Equipment Directive (RED) added mandatory cybersecurity compliance requirements effective August 2025 [19].

In the United States, regulatory action has been more fragmented. While Samsung has launched a bug bounty program offering up to $1 million for critical mobile device vulnerabilities [20], and DJI paid Azdoufal his $30,000 bounty, the broader industry remains resistant to comprehensive security standards. A Consumer Reports survey found that 28% of the 75 smart home device makers studied did not even have an easily discoverable way for security researchers to report vulnerabilities [21].

What Consumers Can Do — and What They Shouldn't Have To

Security experts consistently recommend basic protective measures: changing default passwords, enabling automatic firmware updates, segmenting IoT devices onto a separate network, and researching manufacturers' security track records before purchasing.

But there is a growing consensus that the burden of securing consumer technology should not fall primarily on consumers. The devices that failed in every incident described above — DJI's vacuums, Ecovacs' vacuums, compromised smart TVs, insecure cameras — were purchased by ordinary people who had every reason to expect they would work safely out of the box.

"The fact that a hobbyist with a PlayStation controller and an AI coding assistant can accidentally take over thousands of devices in dozens of countries tells you everything you need to know about the state of IoT security," wrote Malwarebytes researcher Pieter Arntz [22]. "These aren't sophisticated state-sponsored attacks. These are basic, well-known security failures that any competent engineering team should have caught before a single unit shipped."

The DJI Romo incident ended relatively well — a responsible researcher, a bug bounty paid, a vulnerability patched. But for every Sammy Azdoufal who reports what they find, the question remains: how many others, with different intentions, have already found similar doors left unlocked?

As 21 billion connected devices sit in homes worldwide, with a billion more shipping every year, the answer to that question grows more urgent by the day.