Sammy Azdoufal found a master key in his DJI vacuum that gave him control of all 7,000 devices sold
Feb 26, 2026 with Sammy Azdoufal
Key Points
- Security researcher Sammy Azdoufal discovered a master key vulnerability in DJI's Home app that granted him access to roughly 10,000 devices globally: nearly the entire installed base of 7,000 Romo vacuums and 3,000 power packs.
- The vulnerability exposed sensitive home data including 3D floor plans, live camera feeds, microphone access, and real-time device controls, with DJI's MQTT broker handing over device serial numbers in plaintext.
- DJI issued two patches after public pressure but two material vulnerabilities remain unfixed, including one that still allows indirect access to other users' video streams, leaving unresolved whether the breach affected customers before remediation.
Summary
Sammy Azdoufal set out to control his DJI robot vacuum with a PS5 controller. Within an hour of reverse-engineering the DJI Home app, he had manual control working. When he queried the battery status, the response contained readouts for thousands of devices, not just his own.
The vulnerability had two layers. His personal user key functioned as a master key across all devices. DJI's MQTT broker also exposed device data without access controls, handing over serial numbers in plaintext. Swapping the serial number in his environment variables gave him full control of a friend's vacuum. With both the master key and the open broker, he had access to roughly 10,000 devices in total: 7,000 vacuums and 3,000 DJI power packs. DJI had only sold around 7,000 vacuums, so that was the entire installed base.
Full access meant significant exposure. The DJI vacuum maps a home's interior in 3D to navigate. Azdoufal could retrieve those floor plans, pull live video from the onboard camera, activate the microphone, and control movement in real time with low latency.
He tried to report the issue through DJI's bug bounty program, but the website was entirely in Chinese with no clear path for non-Chinese applicants. DJI didn't respond. After he live-tweeted what he'd found and tagged DJI publicly, they DMed him back. They acknowledged the issue and said it was fixed. It wasn't, at least not fully.
The Verge arranged a demo. In the two days between planning and filming, DJI pushed a second patch that blocked live video and microphone access from other users' devices. During the demo, Azdoufal still had access to 3D floor plans and the full telemetry system. Only after the demo aired did DJI close those remaining gaps.
Two material vulnerabilities remain undisclosed. Azdoufal and The Verge agreed to give DJI time to fix them before going public, but he confirms that one still allows indirect access to other users' video streams.
Unless DJI can demonstrate that Azdoufal was the only person to ever exploit this flaw, the company cannot rule out that camera feeds and home floor plans were accessed by others before the patches. That constitutes a data breach affecting customers who had no idea their vacuums were internet-accessible in this way.