Security Flaw Exposed Thousands of DJI Robot Vacuums

- The core of the vulnerability was not in the vacuum's local hardware but in DJI's backend cloud infrastructure; specifically, the MQTT message broker lacked topic-level access controls, allowing any authenticated user to subscribe to and receive data from all 7,000 devices. - The exposed data included highly sensitive information from inside homes, such as live camera feeds, microphone audio, real-time cleaning routes, and detailed 2D floor maps. - Security researcher Sammy Azdoufal discovered the flaw unintentionally while reverse-engineering the app's communication protocols with the help of an AI coding assistant to make his vacuum compatible with a PS5 controller. - DJI deployed two automatic server-side patches on February 8 and February 10 to fix the primary vulnerability without requiring any user action. However, the researcher claims at least one other serious vulnerability remained unpatched after these fixes. - This incident mirrors a 2017 DJI security failure where a researcher found private AWS keys in public code, exposing flight logs and user identification documents; in both cases, the core issue was flawed server-side access control rather than a failure of encryption. - Other robot vacuum brands have faced similar security issues; researchers have demonstrated vulnerabilities in Ecovacs, Dreame, and Narwal models that could allow for remote camera activation or access to stored photos from the cloud. - The average U.S. household now has 21 connected IoT devices, and with the number of IoT devices globally projected to hit 21.1 billion by the end of 2025, insecure cloud backends for embodied AI systems represent a massive and growing attack surface.