Full Report
February has been a turbulent month for DJI. The Chinese tech giant, best known for making drones, escalated its fight against the U.S. drone ban by suing the FCC. Then the internet erupted over an entirely different DJI device: The Romo robot vacuum. Thousands of Romo vacuums and their live cameras worldwide were reportedly hacked — and…
Analysis Summary
# Incident Report: DJI Romo Vacuum Authentication Failure
## Executive Summary
A critical authentication vulnerability in the DJI Romo robot vacuum allowed a security researcher to gain remote access to approximately 7,000 devices globally. This breach, discovered during a hobbyist project involving a PS5 controller, provided unauthorized access to live camera feeds and device controls. The incident highlights a severe failure in the manufacturer's IoT security protocols and authentication mechanisms.
## Incident Details
- **Discovery Date:** February/March 2026 (Reported)
- **Incident Date:** February 2026
- **Affected Organization:** DJI (specifically the Romo product line)
- **Sector:** Technology / Consumer Electronics (IoT)
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** February 2026
- **Vector:** Broken Authentication / MQTT Protocol vulnerability
- **Details:** Software engineer Sammy Azdoufal attempted to map a PS5 controller to his own Romo vacuum but discovered that the authentication process was so poorly secured that he could inadvertently control and view other users' devices.
### Lateral Movement
- **Details:** Not applicable in the traditional network sense; however, the researcher was able to pivot from his own device connection to "subscribe" to the data streams of 7,000 other vacuums through a central DJI command-and-control infrastructure.
### Data Exfiltration/Impact
- **Details:** Remote access to live camera feeds from inside users' homes and full control over movement and device functions for over 7,000 units.
### Detection & Response
- **How it was discovered:** Self-reported by the researcher (White Hat discovery).
- **Response actions taken:** Researcher alerted DJI and media outlets (The Verge, Mashable) to the "massive authentication slip-up."
## Attack Methodology
- **Initial Access:** Exploitation of weak authentication in the device's remote control interface.
- **Persistence:** Not required; the vulnerability was systemic within the DJI cloud/MQTT architecture.
- **Privilege Escalation:** Gained "Admin/Owner" level access to 7,000 external devices via a standard user account.
- **Collection:** Interception of live video streams and telemetry.
- **Exfiltration:** Unauthorized streaming of live camera data to the researcher's interface.
- **Impact:** Compromise of physical privacy and device integrity.
## Impact Assessment
- **Financial:** Potential for significant regulatory fines and loss of sales for the Romo product line.
- **Data Breach:** Compromise of live visual and audio data from 7,000 residences.
- **Operational:** Vulnerability necessitated a potential shutdown of remote services while patching.
- **Reputational:** High-profile failure during an already turbulent period for DJI regarding U.S. government relations and drone bans.
## Indicators of Compromise
- **Network indicators:** Unusual MQTT traffic patterns or unauthorized connections to `*.dji.com` (defanged) infrastructure from unrecognized IPs.
- **Behavioral indicators:** Robot vacuums activating or moving without user input; camera "active" lights turning on unexpectedly.
## Response Actions
- **Containment measures:** DJI was notified to secure the authentication backend.
- **Eradication steps:** Vulnerability remediation of the MQTT/API authentication layer.
- **Recovery actions:** Disclosure to the public and impacted users.
## Lessons Learned
- **Key takeaways:** IoT devices with integrated cameras require robust, per-device unique authentication tokens rather than shared or weak session management.
- **What could have been done better:** DJI should have implemented strict authentication checks to ensure a user can only subscribe to the MQTT topics or video streams associated with their specific device ID.
## Recommendations
- **Zero Trust for IoT:** Implement a Zero Trust architecture where every device and session is verified before accessing the cloud backend.
- **Security Auditing:** Conduct rigorous third-party penetration testing on any IoT device that includes a camera or microphone before market release.
- **Firmware Hardening:** Ensure that remote control protocols (like MQTT) are encrypted and require multi-factor authentication or hardware-bound certificates.