A man who attempted to control a robot vacuum using a PlayStation controller revealed that he inadvertently gained access to the homes of numerous people. Samy Azdufal, who leads AI Strategy at a Spanish vacation rental firm, created a custom application to operate the DJI Romo robot vacuum with a PS5 gamepad. He explained to The Verge that he employed Anthropic’s Claude Code to understand how the vacuum connects with DJI’s cloud system. Surprisingly, instead of just interfacing with his own device, around 6,700 vacuum cleaners across 24 countries responded to him as an operator just nine minutes after he started chatting with a reporter.
Azdoufal claimed this access allowed him to watch live video feeds, listen via the vacuum’s microphone, track cleaning activities, and even generate detailed floor plans of various homes. Reportedly, an IP address could reveal a device’s approximate location. He clarified that he never hacked into DJI’s systems; rather, he used the security token from his own vacuum, which led to the company’s servers disclosing data from thousands of other units. “I didn’t break any rules,” he insisted.
He reported the security flaw to the dealer using the vacuum’s 14-digit serial number, and he could determine the device’s battery status and the room it was cleaning merely with this code.
A spokesperson for DJI stated that the company has addressed the vulnerability. However, shortly after, Azdoufal demonstrated that he still had access to numerous devices. After contacting DJI, he found he could no longer control The Verge’s vacuum or tap into its video and microphone feeds.
DJI admitted there was a “backend permission validation issue” and mentioned that it had released two patches in early February, but Azdoufal argued that more vulnerabilities still exist.
This report comes amidst ongoing national security concerns regarding DJI. The FCC added Chinese drone manufacturers to its list of concerns in late 2025 after a review deemed foreign drones a significant risk. Republican Senator Rick Scott from Florida is pushing to revoke DJI’s FCC authorizations granted post-December 2024.
In 2025, South Korea’s Consumer Affairs Agency tested several robot vacuums and found considerable flaws in three models produced in China. They discovered that Dreame’s X50 Ultra could allow hackers to remotely activate its camera, while Narwal and Ecovacs’ models lacked proper security, which could expose images taken while they cleaned. In contrast, Samsung and LG products performed better in evaluations.
Security researcher Kevin Finisterre mentioned that housing data on U.S. servers doesn’t guarantee protection from access by DJI’s Chinese employees. “It’s quite odd to see a microphone atop a vacuum cleaner,” Azdoufal commented.
