Engineers used Claude to reverse engineer DJI Romo, a sweeping robot by DJI, unexpectedly gaining control over 7,000 devices worldwide and invading home privacy. Chinese-made AI toys also frequently leak personal data, raising cybersecurity concerns.
DJI Romo Sweeping Robot Sparks Security Concerns
Just wanted to control a sweeping robot with a PS5 controller, but unexpectedly took over 7,000 robots globally?
In February this year, engineer Sammy Azdoufal told The Verge that he initially just wanted to try controlling his newly purchased DJI Romo sweeping robot remotely using a PS5 game controller, then used AI programming assistant Claude Code to reverse engineer the communication protocol between the device and DJI’s cloud servers.
As a result, when he connected his custom app to the server, he discovered he wasn’t just controlling his own device but had gained control of approximately 7,000 DJI robots worldwide.
Azdoufal said he could remotely operate these robots, watch and listen through real-time cameras, and even see floor plans showing the exact shape and size of each room.
Media tests confirm the vulnerability, revealing home privacy with just a serial number
To verify the DJI Romo vulnerability, The Verge reporter asked colleague Thomas Ricker, who just completed a review, to provide the 14-character serial number of a DJI Romo robot. Azdoufal used this serial number alone to locate their robot in the system and accurately see that it was cleaning the living room with 80% battery remaining.
Image source: DJI official website
DJI Romo Sweeping Robot Sparks Security Concerns
Within minutes, this robot located in another country generated and sent back an accurate house floor plan. Azdoufal demonstrated to the reporter that he could bypass security passwords to directly access the real-time video feed of his device.
He emphasized that he did not hack DJI’s servers, only extracted the device’s private credentials, which allowed the server to send data of thousands of other users to him, all in plaintext.
DJI admits permission verification issues, claims they have fixed it
DJI, a Chinese drone and technology manufacturer, produces drones, cameras, and sweeping robots, holding a 70%-83% market share in civilian and commercial drones.
Image source: DJI official website
DJI, a Chinese drone and tech giant
In response to the security breach exposed by the media, DJI spokesperson Daisy Kong issued a statement acknowledging that the vulnerability involved backend permission verification issues between devices and servers. The company discovered the flaw in late January and deployed updates in two phases in early February to resolve it.
DJI emphasized that, in theory, this could allow unauthorized access to real-time footage from the robots, but such incidents are extremely rare and mostly occur during security researchers’ testing of their own devices. The company also stated that all communications are encrypted with TLS.
However, security researcher Kevin Finisterre pointed out that even if DJI’s data transmission is encrypted, if the server lacks proper access controls, internal personnel or authenticated clients could still easily read the data.
Security Concerns Over Chinese AI Toys Also Emerge
Besides DJI sweeping robots, recent reports reveal cybersecurity and educational concerns regarding Chinese-made AI toys.
According to Wired’s report at the end of January, security researchers Joseph Thacker and Joel Margolis found that the backend of Chinese AI toy company Bondu lacked protections, leading to the leak of over 50,000 children’s personal data and conversations.
NBC News also reported that the Chinese company Miriat’s doll Miiloo promotes specific political stances to children, such as “Taiwan is part of China.”
The U.S. Public Interest Research Group warned that AI toys lack content filtering mechanisms, prompting a special committee on China issues in the U.S. House of Representatives to send a letter to the Department of Education, raising concerns about data privacy and national security risks associated with these devices.
For more details:
Still buying AI toys? Bondu leaks 50,000 children’s personal data, while Miiloo promotes: Taiwan is part of China
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
