A Weekend Project Gone Very Wrong

Sammy Azdoufal had a simple goal: drive his new $2,000 DJI robot vacuum around with a PlayStation 5 controller. Just for fun.

So he did what any tinkerer would do — he used an AI coding tool to reverse-engineer how the vacuum talked to DJI’s servers. He built a little app, connected it, and waited for his vacuum to respond.

It did. So did 7,000 others.

What Azdoufal stumbled into wasn’t just a bug — it was a window into thousands of homes across 24 countries. Live camera feeds. Microphone audio. Detailed floor plans of people’s houses. Approximate locations based on IP addresses. All accessible because DJI’s servers didn’t bother to check whether the person asking for data actually owned the device.

This isn’t science fiction. This happened last week. And it’s a wake-up call for anyone with a smart device in their home.

What Exactly Happened

The DJI Romo is a high-end robot vacuum with a camera (for navigation and remote monitoring) and a microphone. Like most smart home devices, it connects to the manufacturer’s cloud servers to function.

When Azdoufal built his custom controller app, he extracted an authentication token — essentially a digital key that proves you own a device. He expected that key to unlock access to his vacuum. Instead, it unlocked access to every DJI Romo on the planet.

Here’s what he could see and do with any of those 7,000 vacuums:

• Live camera feeds — Watch real-time video from inside strangers’ homes
• Microphone audio — Listen to conversations happening in those homes
• Floor plans — See detailed 2D maps of home layouts generated as the vacuums cleaned
• Location data — Determine approximate addresses from IP information
• Full device control — Start, stop, and steer the vacuums remotely

To prove the severity, Azdoufal was given just the serial number of a journalist’s vacuum in another country. From Barcelona, he identified the device, confirmed it was cleaning the living room at 80% battery, and generated an accurate floor plan of the journalist’s home — all without any additional credentials.

Then he walked into his own living room and waved at his vacuum’s camera while the journalist watched the live feed from across the internet.

How Could This Happen?

DJI’s response was telling. They emphasized that all data was encrypted in transit using TLS encryption. That’s true — and completely beside the point.

Here’s the thing most people don’t understand about encryption: it protects data while it’s traveling, not after it arrives.

Think of it like a locked mailbox. TLS encryption is the lock on the mailbox — it keeps people from stealing your mail while it’s being delivered. But once the mail is inside and the mailbox is open, anyone with access to the mailbox can read everything.

DJI’s servers had no system to verify that the person opening the mailbox actually lived at that address. Any valid key worked for any mailbox. Authentication (proving you’re a legitimate user) was completely separate from authorization (proving you have permission to access specific data).

This is a fundamental security principle, and DJI — a company that makes drones used by professionals and governments worldwide — got it wrong.

It Wasn’t Just Vacuums

Here’s where it gets worse. Azdoufal discovered that DJI’s portable power stations — home battery backup systems that can store up to 22.5kWh of power — were also showing up on the same system. Same vulnerability. Same lack of access controls.

One authentication flaw exposed an entire ecosystem of smart home devices.

DJI’s Response Made Things Worse

When journalists contacted DJI about the vulnerability, a spokesperson said the issue had already been fixed the previous week.

That statement arrived about 30 minutes before Azdoufal demonstrated — live — that he still had access to thousands of vacuums, including the journalist’s own review unit.

DJI eventually issued patches on February 8th and 10th, but Azdoufal says additional vulnerabilities remain, including the ability to view camera feeds without the required security PIN.

The Bigger Problem: Your Smart Devices Know More Than You Think

This story isn’t really about DJI or robot vacuums. It’s about the silent bargain we’ve all made with smart home technology.

Every device you connect to your home network is collecting data about you. Sometimes that data collection is obvious. Sometimes it’s not. And sometimes, as this case shows, that data isn’t protected as well as you’d expect.

Consider what your smart devices might know about you:

Robot Vacuums

• Complete floor plans of your home
• When you’re home and when you’re away (based on cleaning schedules)
• Live video and audio if equipped with cameras/microphones
• Location data

Smart Speakers (Alexa, Google Home, etc.)

• Voice recordings of conversations
• Search history and questions asked
• Shopping habits
• Daily routines and schedules

Smart TVs

• What you watch and when
• Viewing habits and preferences
• Some models have cameras and microphones
• Network information

Video Doorbells and Security Cameras

• Who comes and goes from your home
• Audio recordings of conversations at your door
• Facial recognition data
• Your daily schedule

Smart Thermostats

• When you’re home and when you’re away
• Your daily schedule
• Temperature preferences
• Energy usage patterns

Now imagine all of that data accessible to anyone because of a single authentication flaw.

Why AI Makes This Worse

There’s another dimension to this story that’s easy to miss. Azdoufal used a common AI agent — an AI coding assistant — to reverse-engineer DJI’s app and build his custom controller.

Security researchers have been finding vulnerabilities in IoT devices for years. What’s different now is that AI tools are dramatically lowering the barrier to entry. You no longer need deep expertise in reverse engineering or network protocols to probe these systems.

As one security analyst put it: the population capable of probing IoT protocols just got much, much larger. Security through obscurity — the idea that systems are safe because they’re too complicated for most people to attack — is effectively dead.

What You Can Do to Protect Yourself

You don’t have to throw out all your smart devices. But you should be thoughtful about what you bring into your home and how you configure it.

Before You Buy

• Ask whether the device actually needs internet connectivity. Many smart features work fine on local networks without cloud connections.
• Question every sensor. Does your vacuum need a camera? Does your smart speaker need to be always listening? If you can’t disable features you don’t want, consider a different product.
• Research the manufacturer’s security track record. Have they had breaches before? How did they respond? Do they have a bug bounty program?
• Check where your data is stored. Is it on local servers or overseas? What are the privacy laws in that jurisdiction?

After You Buy

• Change default passwords immediately. Never use manufacturer defaults.
• Keep firmware updated. Security patches matter — make sure your devices are receiving them.
• Disable features you don’t use. If your vacuum has a microphone but you never use voice commands, disable it. If your TV has a camera, cover or disable it.
• Segment your network. Put IoT devices on a separate network from your computers and phones. Many modern routers support guest networks — use them.
• Review app permissions regularly. What data is the companion app accessing on your phone? Does it need all of that?

The Bigger Picture

• Understand that ‘encrypted’ doesn’t mean ‘secure.’ As this case shows, encryption protects data in transit but says nothing about who can access it once it arrives.
• Assume every device is collecting more than you think. Read the privacy policy. Look at what data the app requests. If it seems excessive, it probably is.
• Consider what happens if the company goes away. If the manufacturer shuts down or gets acquired, what happens to your data? What happens to your device?

The Wake-Up Call

Sammy Azdoufal did the right thing. He reported the vulnerability instead of exploiting it. DJI patched the most critical flaws (eventually). No one appears to have been harmed.

But here’s the uncomfortable question: how many similar vulnerabilities exist in devices you own right now?

The DJI flaw wasn’t sophisticated. It wasn’t a complex cryptographic attack or a zero-day exploit. It was a basic failure to verify that users could only access their own data. It’s the kind of mistake that shouldn’t happen — and yet it does, constantly, across the IoT industry.

Every smart device in your home is a potential entry point. Every camera is a potential surveillance tool. Every microphone is a potential listening device. Not because these companies are malicious, but because security is hard, and the rush to ship products often leaves it as an afterthought.

The question isn’t whether you should use smart home technology. The question is whether you understand the trade-offs — and whether you’re taking steps to protect yourself.

Need Help Securing Your Home or Business Network?

At Pendergrass Consulting, we help individuals and businesses understand their technology risks and implement practical protections. Whether you need a network security assessment, help segmenting your IoT devices, or just want someone to review your smart home setup and identify potential vulnerabilities, we’re here to help.

Contact us today for a free consultation.

Pendergrass Consulting provides cybersecurity, IT support, and technology consulting services throughout the Triangle area, including Raleigh, Durham, Chapel Hill, Cary, Apex, and the surrounding communities.