Sammy Azdoufal claims he wasn’t trying to hack every robot vacuum in the world. He just wanted to remote control his brand-new DJI Romo vacuum with a PS5 gamepad, he tells The Verge, because it sounded fun.
Technology
Definitely don’t start your Final Fantasy VII experience with Rebirth
/cdn.vox-cdn.com/uploads/chorus_asset/file/25309349/EN_25_ff7rebirth_SS_0207_Trailer.jpg?ssl=1 "Definitely don’t start your Final Fantasy VII experience with Rebirth")
Final Fantasy VII Rebirth is an excellent game and an important evolution for the franchise. It mashes together a traditional RPG with a large open world, managing to feel both modern and like it’s sticking to its 32-bit roots. What it is not, however, is a good place to get started with the multipart story that is Final Fantasy VII — despite what its creators might say.
Prior to Rebirth’s launch, creative director and zipper aficionado Tetsuya Nomura talked about how the game was designed in part to be welcoming to newcomers (always a commendable goal). “In fact,” he said in 2022, “new players might even enjoy starting their Final Fantasy VII journey with Final Fantasy VII Rebirth.” Meanwhile, on launch day, producer Yoshinori Kitase said the game would be “welcoming in newcomers to begin their Final Fantasy adventure here.”
Unfortunately, that’s not quite right.
Let’s start with the obvious: Rebirth is the second chapter of a story. Square Enix’s plan is to take the original 1997 version of Final Fantasy VII and expand it into a trilogy of modern games. That started with the aptly named Final Fantasy VII Remake in 2020, which told the beginning of the story. It introduces many elements crucial to Rebirth — the state of the dying world you’re trying to save; the relationships between hero Cloud Strife and every major character; the machinations of the evil Shinra corporation; and the motivation of antagonist Sephiroth.
On a purely technical level, you can play Rebirth first. And in some ways, the game stands on its own, telling a story about a group of friends heading out into the big wide world to track down a villain intent on destroying it. There’s a solid recap video you can watch before playing to catch up on some of what happened. The new games, Rebirth in particular, also do a great job of expanding on and clarifying the convoluted story of the original, which — despite its length — felt lacking in a lot of areas.
But things are still pretty complex, and that would only be exacerbated by skipping the first chapter. So while you could start with Rebirth, the experience would probably be a lot like when I jumped into Kingdom Hearts with the third one — which is to say, confusing as hell.
Then there’s the experiential and emotional side. A large part of the appeal of this franchise is its characters, and Rebirth even introduces a new system where you can track how someone feels about Cloud and help improve those relationships through conversations and optional side missions. If you skip out on Remake, you’ll be missing a whole lot of context covering the often complicated history between characters and why you’d want to connect with them at all. Going on a date with Tifa isn’t quite the same if you haven’t experienced their journey together.
Look, I can’t tell you what to do. But if you really want to get the most out of this collection of games, it’s best to start at the beginning. In fact, I’ll go a step further: if you really want to experience all that Final Fantasy VII has to offer, you should play the original before Remake and Rebirth. That’s because not only do the remakes expand the story but they also change things in notable ways, and understanding those changes can be powerful.
Yes, that means a lot of hours spent fighting monsters and fiddling with Materia. (Hey, at least I’m not saying you should watch Advent Children.) But the franchise also gets very meta in pivotal moments, using ingrained memories of the original to subvert player expectations. Nowhere is that more pronounced than with the ending of Rebirth which… actually, I’m not going to say anything about it. Go play the original first.
Continue Reading
The folks behind Jmail are at it again with a clone of Wikipedia that turns the treasure trove of data in Epstein’s emails into detailed dossiers on his associates. Entries include known visits to Epstein’s properties, possible knowledge of Epstein’s crimes, and laws that they might have broken. The reports are dense, listing how many emails they exchanged with Epstein, basic biographical information, and details about how they’re connected.
Beyond that, there are entries for the properties Epstein owns, detailing how they were acquired and the alleged activities that took place there. There are also entries for his business dealings, including his relationship with JPMorgan Chase.
It is worth noting that the entries are AI-generated. While a casual glance seems to suggest Jikipedia is citing its sources, it’s still possible (if not likely) that there are some inaccuracies contained within them. The Jmail X account said that they’ll be implementing the ability for users to report inaccuracies and request changes soon.
NEWYou can now listen to Fox News articles!
If you use an Android phone, this deserves your attention.
Cybersecurity researchers warn that hackers are using Hugging Face, a popular platform for sharing artificial intelligence (AI) tools, to spread dangerous Android malware.
At first, the threat appears harmless because it is disguised as a fake antivirus app. Then, once you install it, criminals gain direct access to your device. Because of this, the threat stands out as especially troubling. It combines two things people already trust — security apps and AI platforms.
Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide — free when you join my CYBERGUY.COM newsletter.
MALICIOUS GOOGLE CHROME EXTENSIONS HIJACK ACCOUNTS
Researchers say hackers hid Android malware inside a fake antivirus app that looked legitimate at first glance. (Kurt “CyberGuy” Knutsson)
What Hugging Face is and why it matters
For anyone unfamiliar, Hugging Face is an open platform where developers share AI, NLP and machine learning models. It is widely used by researchers and startups and has become a central hub for AI experimentation. That openness is also what attackers exploited. Because Hugging Face allows public repositories and supports many file types, criminals were able to host malicious code in plain sight.
The fake antivirus app behind the attack
The malware first appeared in an Android app called TrustBastion. On the surface, it looks like a helpful security tool. It promises virus protection, phishing defense and malware blocking. In reality, it does the opposite.
Once installed, TrustBastion immediately claims your phone is infected. It then pressures you to install an update. That update delivers the malicious code. This tactic is known as scareware. It relies on panic and urgency to push users into tapping before thinking.
FAKE ERROR POPUPS ARE SPREADING MALWARE FAST
The fake TrustBastion app mimics a legitimate Google Play update screen to trick users into installing malware. (Bitdefender)
How the malware spreads and adapts
According to Bitdefender, a global cybersecurity company, the campaign centers on a fake Android security app called TrustBastion. Victims were likely shown ads or warnings claiming their device was infected and were instructed to manually install the app.
The attackers hosted TrustBastion’s APK files directly on Hugging Face, placing them inside public datasets that appeared legitimate at first glance. Once installed, the app immediately prompted users to install a required “update,” which delivered the actual malware.
After researchers reported the malicious repository, it was taken down. However, Bitdefender observed that nearly identical repositories quickly reappeared, with small cosmetic changes but the same malicious behavior. That rapid re-creation made the campaign harder to fully shut down.
What this Android malware can actually do
This Trojan is not minor or annoying. It is invasive. Bitdefender says the malware can:
Take screenshots of your device
Show fake login screens for financial services
Capture your lock screen PIN
Once collected, that data is sent to a third-party server. From there, attackers can move quickly to drain accounts or lock you out of your own phone.
What Google says about the threat
Google says users who stick to official app stores are protected. A Google spokesperson told CyberGuy, “Based on our current detection, no apps containing this malware are found on Google Play.
“Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services.
“Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play.”
BROWSER EXTENSION MALWARE INFECTED 8.8M USERS IN DARKSPECTRE ATTACK
Once installed, the malware could capture screenshots, fake login details and even your lock screen PIN. (Kurt “CyberGuy” Knutsson)
How to stay safe from Hugging Face Android malware
This threat is a reminder that small choices matter. Here is what you should do right now:
1) Stick to trusted app stores
Only download apps from reputable sources like Google Play Store or the Samsung Galaxy Store. These platforms have moderation and scanning in place.
2) Read reviews before installing
Look closely at ratings, download counts and recent comments. Fake security apps often have vague reviews or sudden rating spikes.
3) Use a data removal service
Even careful users can have personal data exposed. A data removal service helps remove your phone number, email and other details from data broker sites that criminals rely on. That reduces follow-up scams, fake security alerts and account takeover attempts.
While no service can guarantee the complete removal of your data from the internet, a data removal service is really a smart choice. They aren’t cheap, and neither is your privacy.
These services do all the work for you by actively monitoring and systematically erasing your personal information from hundreds of websites. It’s what gives me peace of mind and has proven to be the most effective way to erase your personal data from the internet. By limiting the information available, you reduce the risk of scammers cross-referencing data from breaches with information they might find on the dark web, making it harder for them to target you.
Check out my top picks for data removal services and get a free scan to find out if your personal information is already out on the web by visiting Cyberguy.com
Get a free scan to find out if your personal information is already out on the web: Cyberguy.com
4) Run Play Protect and use strong antivirus software
Scan your device regularly with Play Protect and back it up with strong antivirus software for added protection. Google Play Protect, which is built-in malware protection for Android devices, automatically removes known malware. However, it is important to note that Google Play Protect may not be enough. Historically, it hasn’t been 100% effective at removing all known malware from Android devices.
The best way to protect yourself against malicious links that install malware and potentially access your private information is to have strong antivirus software installed on all your devices. This protection can also help you detect phishing emails and ransomware, keeping your personal information and digital assets safe.
Get my picks for the best 2026 antivirus protection winners for your Windows, Mac, Android and iOS devices at Cyberguy.com
5) Avoid sideloading APK files
Avoid installing apps from websites outside the app store. These apps bypass security checks, so always verify the publisher name and URL.
6) Lock down your Google account
Your phone security depends on it. Enable two-step verification (2FA) first, then use a strong, unique password stored in a password manager to prevent account takeovers.
Next, see if your email has been exposed in past breaches. Our No. 1 password manager (see Cyberguy.com) pick includes a built-in breach scanner that checks whether your email address or passwords have appeared in known leaks. If you discover a match, immediately change any reused passwords and secure those accounts with new, unique credentials.
Check out the best expert-reviewed password managers of 2026 at Cyberguy.com
7) Be cautious with permissions
Be cautious with accessibility permissions. Malware often abuses them to take control of your device.
8) Watch app updates closely
Malware can hide inside fake updates. Be cautious of urgent fixes that push you outside the app store.
Kurt’s key takeaways
This attack shows how quickly trust can be weaponized. A platform designed to advance AI research was repurposed as a delivery system for malware. A fake antivirus app became the threat it claimed to stop. Staying safe no longer means avoiding sketchy-looking apps. It means questioning even those apps that appear helpful and professional.
Have you seen something on your phone that made you question its security? Let us know your thoughts by writing to us at Cyberguy.com
CLICK HERE TO DOWNLOAD THE FOX NEWS APP
Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide — free when you join my CYBERGUY.COM newsletter.
Copyright 2026 CyberGuy.com. All rights reserved.
But when his homegrown remote control app started talking to DJI’s servers, it wasn’t just one vacuum cleaner that replied. Roughly 7,000 of them, all around the world, began treating Azdoufal like their boss.
He could remotely control them, and look and listen through their live camera feeds, he tells me, saying he tested that out with a friend. He could watch them map out each room of a house, generating a complete 2D floor plan. He could use any robot’s IP address to find its rough location.
“I found my device was just one in an ocean of devices,” he says.
On Tuesday, when he showed me his level of access in a live demo, I couldn’t believe my eyes. Ten, hundreds, thousands of robots reporting for duty, each phoning home MQTT data packets every three seconds to say: their serial number, which rooms they’re cleaning, what they’ve seen, how far they’ve traveled, when they’re returning to the charger, and the obstacles they encountered along the way.
I watched each of these robots slowly pop into existence on a map of the world. Nine minutes after we began, Azdoufal’s laptop had already cataloged 6,700 DJI devices across 24 different countries and collected over 100,000 of their messages. If you add the company’s DJI Power portable power stations, which also phone home to these same servers, Azdoufal had access to over 10,000 devices.
When I say I couldn’t believe my eyes at first, I mean that literally. Azdoufal leads AI strategy at a vacation rental home company; when he told me he reverse engineered DJI’s protocols using Claude Code, I had to wonder whether AI was hallucinating these robots. So I asked my colleague Thomas Ricker, who just finished reviewing the DJI Romo, to pass us its serial number.
With nothing more than that 14-digit number, Azdoufal could not only pull up our robot, he could correctly see it was cleaning the living room and had 80 percent battery life remaining. Within minutes, I watched the robot generate and transmit an accurate floor plan of my colleague’s house, with the correct shape and size of each room, just by typing some digits into a laptop located in a different country.
Separately, Azdoufal pulled up his own DJI Romo’s live video feed, completely bypassing its security PIN, then walked into his living room and waved to the camera while I watched. He also says he shared a limited read-only version of his app with Gonzague Dambricourt, CTO at an IT consulting firm in France; Dambricourt tells me the app let him remotely watch his own DJI Romo’s camera feed before he even paired it.
Azdoufal was able to enable all of this without hacking into DJI’s servers, he claims. “I didn’t infringe any rules, I didn’t bypass, I didn’t crack, brute force, whatever.” He says he simply extracted his own DJI Romo’s private token — the key that tells DJI’s servers that you should have access to your own data — and those servers gave him the data of thousands of other people as well. He shows me that he can access DJI’s pre-production server, as well as the live servers for the US, China, and the EU.
Here’s the good news: On Tuesday, Azdoufal was not able to take our DJI Romo on a joyride through my colleague’s house, see through its camera, or listen through its microphone. DJI had already restricted that form of access after both Azdoufal and I told the company about the vulnerabilities.
And by Wednesday morning, Azdoufal’s scanner no longer had access to any robots, not even his own. It appears that DJI has plugged the gaping hole.
But this incident raises serious questions about DJI’s security and data practices. It will no doubt be used to help retroactively justify fears that led to the Chinese dronemaker getting largely forced out of the US. If Azdoufal could find these robots without even looking for them, will it protect them against people with intent to do harm? If Claude Code can spit out an app that lets you see into someone’s house, what keeps a DJI employee from doing so? And should a robot vacuum cleaner have a microphone? “It’s so weird to have a microphone on a freaking vacuum,” says Azdoufal.
It doesn’t help that when Azdoufal and The Verge contacted DJI about the issue, the company claimed it had fixed the vulnerability when it was actually only partially resolved.
“DJI can confirm the issue was resolved last week and remediation was already underway prior to public disclosure,” reads part of the original statement provided by DJI spokesperson Daisy Kong. We received that statement on Tuesday morning at 12:28PM ET — about half an hour before Azdoufal showed me thousands of robots, including our review unit, reporting for duty.
To be clear, it’s not surprising that a robot vacuum cleaner with a smartphone app would phone home to the cloud. For better or for worse, users currently expect those apps to work outside of their own homes. Unless you’ve built a tunnel into your own home network, that means relaying the data through cloud servers first.
But people who put a camera into their home expect that data to be protected, both in transit and once it reaches the server. Security professionals should know that — but as soon as Azdoufal connected to DJI’s MQTT servers, everything was visible in cleartext. If DJI has merely cut off one particular way into those servers, that may not be enough to protect them if hackers find another way in.
Unfortunately, DJI is far from the only smart home company that’s let people down on security. Hackers took over Ecovacs robot vacuums to chase pets and yell racist slurs in 2024. In 2025, South Korean government agencies reported that Dreame’s X50 Ultra had a flaw that could let hackers view its camera feed in real time, and that another Ecovacs and a Narwal robovac could let hackers view and steal photos from the devices. (Korea’s own Samsung and LG vacuums received high marks, and a Roborock did fine.)
It’s not just vacuums, of course. I still won’t buy a Wyze camera, despite its new security ideas, because that company tried to sweep a remote access vulnerability under the rug instead of warning its customers. I would find it hard to trust Anker’s Eufy after it lied to us about its security, too. But Anker came clean, and sunlight is a good disinfectant.
DJI is not being exceptionally transparent about what happened here, but it did answer almost all our questions. In a new statement to The Verge via spokesperson Daisy Kong, the company now admits “a backend permission validation issue” that could have theoretically let hackers see live video from its vacuums, and it admits that it didn’t fully patch that issue until after we confirmed that issues were still present.
Here’s that whole statement:
DJI identified a vulnerability affecting DJI Home through internal review in late January and initiated remediation immediately. The issue was addressed through two updates, with an initial patch deployed on February 8 and a follow-up update completed on February 10. The fix was deployed automatically, and no user action is required.
The vulnerability involved a backend permission validation issue affecting MQTT-based communication between the device and the server. While this issue created a theoretical potential for unauthorized access to live video of ROMO device, our investigation confirms that actual occurrences were extremely rare. Nearly all identified activity was linked to independent security researchers testing their own devices for reporting purposes, with only a handful of potential exceptions.
The first patch addressed this vulnerability but had not been applied universally across all service nodes. The second patch re-enabled and restarted the remaining service nodes. This has now been fully resolved, and there is no evidence of broader impact. This was not a transmission encryption issue. ROMO device-to-server communication was not transmitted in cleartext and has always been encrypted using TLS. Data associated with ROMO devices, such as those in Europe, is stored on U.S.-based AWS cloud infrastructure.
DJI maintains strong standards for data privacy and security and has established processes for identifying and addressing potential vulnerabilities. The company has invested in industry-standard encryption and operates a longstanding bug bounty program. We have reviewed the findings and recommendations shared by the independent security researchers who contacted us through that program as part of our standard post-remediation process. DJI will continue to implement additional security enhancements as part of its ongoing efforts.
Azdoufal says that even now, DJI hasn’t fixed all the vulnerabilities he’s found. One of them is the ability to view your own DJI Romo video stream without needing its security pin. Another one is so bad I won’t describe it until DJI has more time to fix it. DJI did not immediately promise to do so.
And both Azdoufal and security researcher Kevin Finisterre tell me it’s not enough for the Romo to send encrypted data to a US server, if anyone inside that server can easily read it afterward. “A server being based in the US in no way, shape, or form prevents .cn DJI employees from access,” Finisterre tells me. That seems evident, as Azdoufal lives in Barcelona and was able to see devices in entirely different regions.
“Once you’re an authenticated client on the MQTT broker, if there are no proper topic-level access controls (ACLs), you can subscribe to wildcard topics (e.g., #) and see all messages from all devices in plaintext at the application layer,” says Azdoufal. “TLS does nothing to prevent this — it only protects the pipe, not what’s inside the pipe from other authorized participants.”
When I tell Azdoufal that some may judge him for not giving DJI much time to resolve the issues before going public, he notes that he didn’t hack anything, didn’t expose sensitive data, and isn’t a security professional. He says he was simply livetweeting everything that happened while trying to control his robot with a PS5 gamepad.
“Yes, I don’t follow the rules, but people stick to the bug bounty program for money. I fucking don’t care, I just want this fixed,” he says. “Following the rules to the end would probably make this breach happen for a way longer time, I think.”
He doesn’t believe that DJI truly discovered these issues by itself back in January, and he’s annoyed the company only ever responded to him robotically in DMs on X, instead of answering his emails.
But he is happy about one thing: He can indeed control his Romo with a PlayStation or Xbox gamepad.
Follow topics and authors from this story to see more like this in your personalized homepage feed and to receive email updates.
Hawaii4 minutes ago
Lawmakers explore controversial rule changes for primary elections
Illinois16 minutes ago
Person in custody after police chase semi through 4 Central Illinois counties
Indiana22 minutes ago
RV driver killed in multivehicle crash on I-65 in Hobart, Indiana
Iowa28 minutes ago
Authorities investigate pipeline explosion, large fire in southeast Iowa
Kentucky40 minutes ago
Kentucky woman arrested after drugs concealed in Lego pieces at airport
Florida1 year ago
Florida High School Football Rankings: Top 25 teams – Oct. 21
Connecticut2 years ago
Cleary's 21 help Le Moyne down Central Connecticut State 69-64 in OT
Oregon2 years ago
How old is Bo Nix? What to know about Oregon quarterback ahead of 2024 NFL Draft
Virginia2 years ago
99th annual Pony Swim held in Virginia
Indiana1 year ago
Indiana Members Credit Union announced as new anchor tenant at Bottleworks District
Politics6 hours ago
Fetterman slams Democrats’ ‘Jim Crow 2.0’ voter ID rhetoric as party unity fractures
World7 hours ago
Will Warsaw become the seat of a new EU agency? To be decided in March
News7 hours ago
Four people on NASA’S Crew-12 arrive at the International Space Station
News17 hours ago
Video: Vermont Made Child Care Affordable. Could It Lead by Example?
Politics18 hours ago
Here’s how the DHS shutdown could impact the lives of everyday Americans
-
Politics1 week agoWhite House says murder rate plummeted to lowest level since 1900 under Trump administration
-
Alabama1 week agoGeneva’s Kiera Howell, 16, auditions for ‘American Idol’ season 24
-
Ohio1 week agoOhio town launching treasure hunt for $10K worth of gold, jewelry
-
News1 week agoThe Long Goodbye: A California Couple Self-Deports to Mexico
-
Culture1 week agoVideo: Farewell, Pocket Books
-
Science1 week agoVideo: Rare Giant Phantom Jelly Spotted in Deep Waters Near Argentina
-
News1 week agoVideo: Investigators Say Doorbell Camera Was Disconnected Before Nancy Guthrie’s Kidnapping
-
Technology1 week agoApple might let you use ChatGPT from CarPlay