DJI has patched a security issue affecting its Romo robot vacuum after a researcher reported unusually broad access to devices communicating with DJI’s cloud services, raising concerns about connected home device privacy.
The researcher, Sammy Azdoufal, discovered the problem while building a remote-control app for his own Romo and observed thousands of devices respond when his app connected to DJI infrastructure. According to DJI, the root cause was a backend permission validation issue connected to MQTT-based communication between devices and the server.
In a statement, DJI said remediation was deployed in two updates, with an initial fix rolled out on February 8 and a follow-up completed on February 10. The company stated that the fix was delivered automatically and requires no user action. Azdoufal claimed he could observe device telemetry such as identifiers and status information, and that access paths could, in theory, be abused to reach live video feeds in some circumstances.
DJI’s investigation found that suspected activity was largely linked to independent researchers testing their own devices, while adding that it has no evidence of broader impact. The incident highlights the privacy risks of connected home devices that include cameras and microphones. Even when data is encrypted in transit, access control and server-side permissions determine what authenticated clients can request and view.
DJI’s public security resources, including its vulnerability reporting channels, are available via the DJI Security Response Center. DJI has been under scrutiny in multiple markets over security-related concerns, and the Romo episode may add to that debate.
