DJI says it has patched a security issue affecting its Romo robot vacuum, after a researcher reported unusually broad access to devices communicating with DJI’s cloud services. The researcher, Sammy Azdoufal, said he discovered the problem while building a remote-control app for his own Romo and then seeing thousands of devices respond when his app connected to DJI infrastructure.
According to DJI, the root cause was a backend permission validation issue connected to MQTT-based communication between devices and the server. In a statement, the company said remediation was deployed in two updates, with an initial fix rolled out on February 8 and a follow-up completed on February 10. DJI said the fix was delivered automatically and requires no user action.
Azdoufal claimed he could observe device telemetry such as identifiers and status information, and that access paths could, in theory, be abused to reach live video feeds in some circumstances. DJI said its investigation found that suspected activity was largely linked to independent researchers testing their own devices, while adding that it has no evidence of broader impact.
The incident highlights the privacy risks of connected home devices that include cameras and microphones. Even when data is encrypted in transit, access control and server-side permissions determine what authenticated clients can request and view. DJI’s public security resources, including its vulnerability reporting channels, are available via the DJI Security Response Center.
DJI has been under scrutiny in multiple markets over security-related concerns, and the Romo episode may add to that debate. For more DJI coverage, see our previous report on leaked product imagery for the company’s action camera line: DJI Osmo Nano images leak, show modular design.
