PS5 Controller Experiment Exposes Security Vulnerability Affecting 7,000 DJI Robot Vacuums Worldwide

A software engineer named Sammy Azdoufal inadvertently gained control access to approximately 7,000 DJI Romo robot vacuums distributed across various countries worldwide, according to reporting by technology publication TheVerge.

Azdoufal initially sought to enable his DJI Romo robot vacuum to be controlled using a PlayStation 5 (PS5) controller. Using artificial intelligence model Claude Code, he analysed the communication traffic between the DJI Romo and the manufacturer’s server, thereby obtaining the security token code for his own device.

However, the token unexpectedly granted access not merely to a single unit, but to approximately 7,000 other DJI Romo devices operating across various countries. Azdoufal’s application could collect serial numbers and data from thousands of DJI Romo robots connected to the global server every three seconds.

The accessible data included device serial numbers, IP addresses, and approximate location information that could be inferred from the connection data. Azdoufal maintained that this was not his intention, characterising the bug discovery as purely accidental and stemming solely from his PS5 controller experiment.

“I did not violate any rules, did not bypass systems, did not hack, or force access into DJI systems,” Azdoufal stated.

Upon recognising the access vulnerability, Azdoufal and TheVerge immediately contacted DJI to report the discovery. In its statement, DJI acknowledged a “backend permission validation issue affecting MQTT-based communication between the device and the server”. Essentially, this flaw potentially exposed unauthorised access to live video feeds from DJI Romo devices.