User Tries to Control Vacuum With PlayStation Controller – Gains Control of Over 6700 Devices

Weird security flaws are nothing new, but this one is certainly one of the more amusing and scary ones. An owner of the DJI Romo, a type of robot vacuum, uncovered a pretty serious security flaw while trying to tinker with it. They built an app in an attempt to control their Romo with a PlayStation controller, which as a concept is a pretty cool idea, being able to drive it around.

Reports say that the app they created allowed them to retrieve floor plans, access the devices camera, microphone feeds, and of course, control the device remotely. Unfortunately, while user Sammy Adoufal was using the Claude Code AI to reverse engineer the DJI Romo protocols, they didn’t just get access to their own device, but 6700 of them instead. Yup, an AI tool allowed Sammy to unlock his own remote controlled robot army, and of course, more alarmingly to view the video and audio feeds of peoples personal devices.

DJI Romo Remote Control

This isn’t even like he hacked the thing either, as simply obtaining his own private key for his own Romo was all it took to gain control of so many. Azdoufal said “I didn’t infringe any rules, I didn’t bypass, I didn’t crack, brute force, whatever,” which only goes to show that their security was paper thin at best.

But thankfully, he didn’t have hostile intentions, or seemingly even friendly ones, as he could have hoovered a few peoples houses if he wanted. He reached out to DJI and informed them about the issue, who resolved the issue through a series of updates that didn’t require action from their users. Although he said he was still aware of a few outstanding issues that need to be addressed; like being able to stream the video feeds without the use of a security PIN, and the use of data stored in plain text without encryption.

“DJI identified a vulnerability affecting DJI Home through internal review in late January and initiated remediation immediately. The issue was addressed through two updates, with an initial patch deployed on February 8 and a follow-up update completed on February 10. The fix was deployed automatically, and no user action is required.” DJI said in a statement to The Verge.

DJI Romo – Video Stream & Robot Control

This is the problem with many IoT smart devices, they’re connected to the cloud, always online, and often have pretty weak network security. However, there is a silver linning, they released the DJI Romo Video Control on GitHub, so if you did want to control your hoover with a DualSense controller, and stream the video and audio, then you can download the tools to do so here.

• Live video from the robot’s camera via Agora WebRTC
• Keyboard control (ZQSD/WASD + arrow keys)
• On-screen joystick with mouse/touch support
• PS5 DualSense gamepad via WebHID (works on macOS where the standard Gamepad API doesn’t detect DualSense over Bluetooth)
• Xbox controller (One S, Series X|S) via WebHID
• Go Home command (Triangle on DualSense / Y on Xbox)
• Low-latency control via Agora DataStream at 10Hz