Sammy Azdoufal accesses nearly 7,000 robot vacuums through authentication flaw
Updated
Updated · The Washington Post · May 5
Sammy Azdoufal accesses nearly 7,000 robot vacuums through authentication flaw
7 articles · Updated · The Washington Post · May 5
The breach spanned 24 countries and exposed live camera feeds, microphone audio, floor plans, cleaning schedules and approximate locations after Claude Code built a remote-control app.
Azdoufal demonstrated access to a journalist's colleague's vacuum from another country, then alerted manufacturer DJI, which patched the backend vulnerability.
The opinion article says the case shows AI coding tools can accidentally enable cyberattacks, echoing Anthropic's warning that state-backed hackers have already used Claude to automate most attack steps.
If an AI can find 27-year-old security flaws in hours, are any of our digital systems truly safe?
Will AI become the ultimate cyber weapon for attackers, or the ultimate shield for defenders?
Massive Privacy Breach Exposes 7,000 DJI Romo Robot Vacuums to Global Surveillance
Overview
In early 2026, software engineer Sammy Azdoufal’s experiment to connect his PlayStation controller to a DJI ROMO vacuum uncovered a major security flaw in DJI’s cloud system. Exploiting a vulnerability in the MQTT protocol, he accidentally gained live access to around 7,000 devices across 24 countries, including cameras, microphones, and home maps. This breach exposed serious privacy risks and triggered widespread media attention. DJI responded with software patches and awarded Azdoufal a $30,000 bug bounty, marking a shift toward more collaborative security practices. The incident highlighted systemic IoT vulnerabilities and sparked calls for stronger industry regulations and improved security measures for smart home devices.