Overview
- Software engineer Sammy Azdoufal says a single device token let him view live video, hear audio, generate floor plans, and see metadata from DJI Romo units.
- The exposure stemmed from a backend permission-validation error in DJI’s MQTT-based cloud that treated one valid token as owner credentials for many devices.
- Using an AI coding assistant to reverse-engineer his own robot’s traffic, Azdoufal counted roughly 6,700–7,000 vacuums across about 24 countries.
- DJI says it identified the issue in late January and deployed two server-side fixes in early February with no user action required, and Azdoufal later confirmed access had ceased.
- Azdoufal alleges additional weaknesses, including a PIN bypass for video and claims of plaintext-stored data, remain under review as experts warn AI tools are accelerating discovery of such flaws.