Sammy Azdoufal purchased a DJI Romo robot vacuum somewhere in Spain, most likely in a relatively clean apartment. He immediately began to consider ways to make it more engaging. Not better at cleaning. more fascinating. Because there is a gap between “useful appliance” and “fun hardware project” that a particular kind of software engineer cannot leave empty for very long, the idea was to connect it to a PlayStation 5 controller so that it could be manually driven about like an RC vehicle with a trashcan attached.
The calm weekend project he evidently had in mind was not what transpired. Within a few weeks, it turned into one of the more illuminating and genuinely bizarre IoT security incidents of early 2026—a tale of a vulnerability so basic that it shouldn’t have existed, and a person who was honest enough to tell the world about it instead of just taking pleasure in the unintentional power he had discovered.
Key Reference & Incident Information
| Category | Details |
|---|---|
| Incident Subject | Sammy Azdoufal — Spanish Software Engineer |
| Professional Role | Head of Artificial Intelligence, Property Management & Travel Group (Spain) |
| Incident Date | February 2026 |
| Device Exploited | DJI Romo Robot Vacuum |
| Vacuums Accessed | ~7,000 devices across 24 countries |
| Original Goal | Connect DJI Romo to a PlayStation 5 controller for fun |
| Tool Used | Claude Code (Anthropic’s AI coding assistant) |
| Vulnerability Type | Missing topic-level access controls — authentication treated as “master key” |
| Data Accessed | Live camera feeds, floor plans, 100,000+ device messages, IP-based locations |
| How Disclosed | Azdoufal contacted The Verge to report the vulnerability |
| DJI Response | Confirmed fix applied; thanked Azdoufal publicly on X |
| Expert Commentary | Prof. Alan Woodward, University of Surrey — IoT security risks |
| Smart Home Market Projection | $139 billion by 2032 (MarketsandMarkets) |
| Reference Website | DJI Official — dji.com |
Azdoufal reverse-engineered the communication protocols between his DJI vacuum and the company’s servers using Claude Code, Anthropic’s AI coding assistance. The “vibe coding” part of the story, which has gained the most traction in developer circles, is that he did not write the code himself. Depending on how you feel about the craft, the idea of an engineer completing something technically complex by explaining what they want to an AI and iterating on the output can be either exciting or unsettling.
The connection logic and protocol analysis were handled by the AI. It was unable to anticipate that the authentication system on DJI’s backend would treat a single user’s valid credentials as permission to communicate with every other device on the same server infrastructure, something that no one apparently considered checking before deploying thousands of these devices worldwide.
About 7,000 other DJI Romo units spread across 24 countries responded when Azdoufal’s homemade controller program contacted DJI’s servers to connect with his vacuum. Not because he requested it. because there was no way for the server’s access control logic to differentiate between “this user’s device” and “all devices authenticated through this system.” He explained that his credentials worked like a master key. Suddenly, the vacuum in his Spanish flat was part of the same session as vacuums running in houses around Europe, Asia, and the Americas. In rooms he had no connection to, he could view live camera feeds from gadgets he had never touched.
By mapping the areas the vacuums were intended to clean, he was able to retrieve the floor plan data they had produced. He was able to calculate the location of each individual unit using IP addresses after gathering over 100,000 communications from the device network. By all standards, the extent of the unintentional access was astounding.
The diagnosis that the smart device industry has been rejecting for years was made by Professor Alan Woodward of the University of Surrey, who studies precisely this type of vulnerability: security is an afterthought for too many manufacturers, and the “move fast and break things” approach that characterized a generation of software development produces devices that function as advertised until someone closely examines how they communicate.
The DJI incident is not unique; researchers and cunning hackers have shown similar flaws in door locks, heating controls, lighting systems, and baby monitors, all of which were introduced into homes on the pretense of convenience and have been documented in security research literature due to their subpar design. This time, the difference is that instead of using what he had discovered for anything more significant than a social media post, the individual who discovered the hole called the media to report it.
There was something genuinely endearing about how the whole event transpired in Azdoufal’s announcement on X, which featured misspellings, gleefully accepting the label of “the vaccum guy,” and turning down the numerous offers of free vacuums that supposedly appeared in his mentions after the story. According to his own statement, he is not a security researcher and was not attempting to hack anything other than his own laptop.
He wanted to use his cleaning robot to play a video game. In hindsight, the discovery of a vulnerability impacting 7,000 devices and an undetermined amount of private home data is a significant issue that DJI’s technical and security teams have been considering uneasily since February.
DJI publicly praised Azdoufal and confirmed the update, which is the proper response. It’s also important to note that this is a far better result than the legal threats some businesses have made against researchers who have previously exposed vulnerabilities. According to MarketsandMarkets, the smart home market is expected to reach $139 billion by 2032. This number reflects both real investor confidence in the category’s growth and real consumer demand for connected devices.
Incidents like this one make it more difficult to answer with a simple “yes” to the issue of whether that confidence is adequately warranted by the security standards already customary across the industry. The gadgets are becoming more intelligent. Sometimes the security isn’t keeping up. Sometimes all it takes to discover that is someone who genuinely just wants to drive their vacuum like a character in a video game.
