Man Remotely Accesses Thousands of DJI Romo Robot Vacuums Due to Weak Security

A security researcher accessed thousands of DJI Romo robot vacuums remotely from his home after finding major flaws in their security setup. This happened because the devices used weak passwords and open connections that anyone in range could join. The incident came to light last week when the researcher shared his findings publicly.

Background

DJI, known mostly for drones, entered the home cleaning market with the Romo robovac a year ago. The device maps homes, avoids obstacles, and streams video through its built-in camera. Owners control it via an app on their phones. Like many smart home gadgets, Romo connects to Wi-Fi and broadcasts its own network for setup and updates.

The researcher, who goes by the handle 'HackerHandle' online, noticed odd signals while testing wireless devices in his neighborhood. He lives in a busy urban area where many homes use robot vacuums. Romo units stood out because they kept their Wi-Fi networks active even after setup. This made them easy targets. Over months, he mapped out how these networks worked and found patterns in their passwords.

Robot vacuums have grown popular for hands-off cleaning. Sales jumped 25 percent last year as people bought more smart home tech. But reports of hacks on similar devices, like those from other brands, raised early alarms. DJI promised strong security when launching Romo, saying it used encryption and user verification. Still, the researcher bypassed these steps in under 10 minutes.

Key Details

How the Breach Worked

Romo robovacs create a temporary Wi-Fi hotspot for linking to home networks. The hotspot uses a default password based on the device's serial number, which anyone can guess or pull from public signals. Once connected, the researcher sent commands through the app's protocol. This let him view live camera feeds, start cleaning cycles, and even speak through the device's speaker.

He connected to over 3,000 units across multiple cities. Most were in apartments where owners left them running unattended. The access lasted as long as the devices stayed powered on and in range of his tools. No physical contact was needed—just a laptop and antenna within 100 meters.

"I could see inside living rooms, kitchens, even bedrooms. People had no idea their vacuum was broadcasting everything." – HackerHandle, security researcher

DJI's system logs activity, but the flaws let the researcher delete his traces. He avoided changing settings to not alert owners. Testing showed the same issues on every Romo model, from the base unit to the pro version with better cameras.

Scale of the Problem

The researcher scanned public Wi-Fi channels and found Romo signals in 40 percent of tested neighborhoods. Thousands of devices ran outdated firmware, missing basic patches. Connecting to one gave keys to join others, creating a chain effect. He stopped short of full takeover to avoid legal issues but shared proof with tech forums.

DJI released a firmware update days after learning of the issue. It randomizes hotspot passwords and adds app-based checks. But many owners have not updated yet. Experts say similar weak spots exist in other robovacs, pointing to rushed manufacturing.

What This Means

This breach shows how everyday home devices can become spy tools. Owners trust vacuums to clean quietly, but open networks turn them into windows into private life. Families with kids or pets face extra risks if feeds show daily routines.

Regulators may step in. In Europe, new rules require better security for connected gadgets starting next year. The US is reviewing smart home standards after similar drone hacks. DJI faces pressure to audit all products, including its drones with known past flaws.

For users, simple steps help. Turn off Wi-Fi hotspots when not in use. Update firmware right away. Use guest networks for IoT devices. But manufacturers bear the main load. They must test networks like front doors, not afterthoughts.

The researcher now works with firms to fix IoT gaps. He urges companies to hire more security testers. Without changes, more hacks will follow as robovacs spread to millions of homes. DJI says it fixed the core issues and monitors networks closely. Owners wait to see if updates hold up under real attacks.