Sammy Azdoufal claims he wasn’t trying to hack every robot vacuum in the world. He just wanted to remote control his brand-new DJI Romo vacuum with a PS5 gamepad, he tells The Verge, because it sounded fun.
Technology
The DJI Romo robovac had security so poor, this man remotely accessed thousands of them
But when his homegrown remote control app started talking to DJI’s servers, it wasn’t just one vacuum cleaner that replied. Roughly 7,000 of them, all around the world, began treating Azdoufal like their boss.
He could remotely control them, and look and listen through their live camera feeds, he tells me, saying he tested that out with a friend. He could watch them map out each room of a house, generating a complete 2D floor plan. He could use any robot’s IP address to find its rough location.
“I found my device was just one in an ocean of devices,” he says.
On Tuesday, when he showed me his level of access in a live demo, I couldn’t believe my eyes. Ten, hundreds, thousands of robots reporting for duty, each phoning home MQTT data packets every three seconds to say: their serial number, which rooms they’re cleaning, what they’ve seen, how far they’ve traveled, when they’re returning to the charger, and the obstacles they encountered along the way.
I watched each of these robots slowly pop into existence on a map of the world. Nine minutes after we began, Azdoufal’s laptop had already cataloged 6,700 DJI devices across 24 different countries and collected over 100,000 of their messages. If you add the company’s DJI Power portable power stations, which also phone home to these same servers, Azdoufal had access to over 10,000 devices.
When I say I couldn’t believe my eyes at first, I mean that literally. Azdoufal leads AI strategy at a vacation rental home company; when he told me he reverse engineered DJI’s protocols using Claude Code, I had to wonder whether AI was hallucinating these robots. So I asked my colleague Thomas Ricker, who just finished reviewing the DJI Romo, to pass us its serial number.
With nothing more than that 14-digit number, Azdoufal could not only pull up our robot, he could correctly see it was cleaning the living room and had 80 percent battery life remaining. Within minutes, I watched the robot generate and transmit an accurate floor plan of my colleague’s house, with the correct shape and size of each room, just by typing some digits into a laptop located in a different country.
Separately, Azdoufal pulled up his own DJI Romo’s live video feed, completely bypassing its security PIN, then walked into his living room and waved to the camera while I watched. He also says he shared a limited read-only version of his app with Gonzague Dambricourt, CTO at an IT consulting firm in France; Dambricourt tells me the app let him remotely watch his own DJI Romo’s camera feed before he even paired it.
Azdoufal was able to enable all of this without hacking into DJI’s servers, he claims. “I didn’t infringe any rules, I didn’t bypass, I didn’t crack, brute force, whatever.” He says he simply extracted his own DJI Romo’s private token — the key that tells DJI’s servers that you should have access to your own data — and those servers gave him the data of thousands of other people as well. He shows me that he can access DJI’s pre-production server, as well as the live servers for the US, China, and the EU.
Here’s the good news: On Tuesday, Azdoufal was not able to take our DJI Romo on a joyride through my colleague’s house, see through its camera, or listen through its microphone. DJI had already restricted that form of access after both Azdoufal and I told the company about the vulnerabilities.
And by Wednesday morning, Azdoufal’s scanner no longer had access to any robots, not even his own. It appears that DJI has plugged the gaping hole.
But this incident raises serious questions about DJI’s security and data practices. It will no doubt be used to help retroactively justify fears that led to the Chinese dronemaker getting largely forced out of the US. If Azdoufal could find these robots without even looking for them, will it protect them against people with intent to do harm? If Claude Code can spit out an app that lets you see into someone’s house, what keeps a DJI employee from doing so? And should a robot vacuum cleaner have a microphone? “It’s so weird to have a microphone on a freaking vacuum,” says Azdoufal.
It doesn’t help that when Azdoufal and The Verge contacted DJI about the issue, the company claimed it had fixed the vulnerability when it was actually only partially resolved.
“DJI can confirm the issue was resolved last week and remediation was already underway prior to public disclosure,” reads part of the original statement provided by DJI spokesperson Daisy Kong. We received that statement on Tuesday morning at 12:28PM ET — about half an hour before Azdoufal showed me thousands of robots, including our review unit, reporting for duty.
To be clear, it’s not surprising that a robot vacuum cleaner with a smartphone app would phone home to the cloud. For better or for worse, users currently expect those apps to work outside of their own homes. Unless you’ve built a tunnel into your own home network, that means relaying the data through cloud servers first.
But people who put a camera into their home expect that data to be protected, both in transit and once it reaches the server. Security professionals should know that — but as soon as Azdoufal connected to DJI’s MQTT servers, everything was visible in cleartext. If DJI has merely cut off one particular way into those servers, that may not be enough to protect them if hackers find another way in.
Unfortunately, DJI is far from the only smart home company that’s let people down on security. Hackers took over Ecovacs robot vacuums to chase pets and yell racist slurs in 2024. In 2025, South Korean government agencies reported that Dreame’s X50 Ultra had a flaw that could let hackers view its camera feed in real time, and that another Ecovacs and a Narwal robovac could let hackers view and steal photos from the devices. (Korea’s own Samsung and LG vacuums received high marks, and a Roborock did fine.)
It’s not just vacuums, of course. I still won’t buy a Wyze camera, despite its new security ideas, because that company tried to sweep a remote access vulnerability under the rug instead of warning its customers. I would find it hard to trust Anker’s Eufy after it lied to us about its security, too. But Anker came clean, and sunlight is a good disinfectant.
DJI is not being exceptionally transparent about what happened here, but it did answer almost all our questions. In a new statement to The Verge via spokesperson Daisy Kong, the company now admits “a backend permission validation issue” that could have theoretically let hackers see live video from its vacuums, and it admits that it didn’t fully patch that issue until after we confirmed that issues were still present.
Here’s that whole statement:
DJI identified a vulnerability affecting DJI Home through internal review in late January and initiated remediation immediately. The issue was addressed through two updates, with an initial patch deployed on February 8 and a follow-up update completed on February 10. The fix was deployed automatically, and no user action is required.
The vulnerability involved a backend permission validation issue affecting MQTT-based communication between the device and the server. While this issue created a theoretical potential for unauthorized access to live video of ROMO device, our investigation confirms that actual occurrences were extremely rare. Nearly all identified activity was linked to independent security researchers testing their own devices for reporting purposes, with only a handful of potential exceptions.
The first patch addressed this vulnerability but had not been applied universally across all service nodes. The second patch re-enabled and restarted the remaining service nodes. This has now been fully resolved, and there is no evidence of broader impact. This was not a transmission encryption issue. ROMO device-to-server communication was not transmitted in cleartext and has always been encrypted using TLS. Data associated with ROMO devices, such as those in Europe, is stored on U.S.-based AWS cloud infrastructure.
DJI maintains strong standards for data privacy and security and has established processes for identifying and addressing potential vulnerabilities. The company has invested in industry-standard encryption and operates a longstanding bug bounty program. We have reviewed the findings and recommendations shared by the independent security researchers who contacted us through that program as part of our standard post-remediation process. DJI will continue to implement additional security enhancements as part of its ongoing efforts.
Azdoufal says that even now, DJI hasn’t fixed all the vulnerabilities he’s found. One of them is the ability to view your own DJI Romo video stream without needing its security pin. Another one is so bad I won’t describe it until DJI has more time to fix it. DJI did not immediately promise to do so.
And both Azdoufal and security researcher Kevin Finisterre tell me it’s not enough for the Romo to send encrypted data to a US server, if anyone inside that server can easily read it afterward. “A server being based in the US in no way, shape, or form prevents .cn DJI employees from access,” Finisterre tells me. That seems evident, as Azdoufal lives in Barcelona and was able to see devices in entirely different regions.
“Once you’re an authenticated client on the MQTT broker, if there are no proper topic-level access controls (ACLs), you can subscribe to wildcard topics (e.g., #) and see all messages from all devices in plaintext at the application layer,” says Azdoufal. “TLS does nothing to prevent this — it only protects the pipe, not what’s inside the pipe from other authorized participants.”
When I tell Azdoufal that some may judge him for not giving DJI much time to resolve the issues before going public, he notes that he didn’t hack anything, didn’t expose sensitive data, and isn’t a security professional. He says he was simply livetweeting everything that happened while trying to control his robot with a PS5 gamepad.
“Yes, I don’t follow the rules, but people stick to the bug bounty program for money. I fucking don’t care, I just want this fixed,” he says. “Following the rules to the end would probably make this breach happen for a way longer time, I think.”
He doesn’t believe that DJI truly discovered these issues by itself back in January, and he’s annoyed the company only ever responded to him robotically in DMs on X, instead of answering his emails.
But he is happy about one thing: He can indeed control his Romo with a PlayStation or Xbox gamepad.
Follow topics and authors from this story to see more like this in your personalized homepage feed and to receive email updates.
If you’re tired of running your vacuum multiple times just to get the dirt and debris out of the carpets in your living room, Dyson’s 360 Vis Nav is worth a look. It’s one of the more powerful robot vacuums currently available, and now through May 11th (or while supplies last), it’s on sale at Woot for an all-time low of $279.99 ($919 off) with a full two-year warranty.
The last-gen 360 Vis Nav offers a whopping 65 air watts of suction, allowing it to pull dirt, dust, and pet hair from carpets impressively well. In her brief time testing the robovac, my colleague Jennifer Pattison Tuohy said the Dyson “demolished a pile of dry oatmeal in seconds,” adding that she briefly worried it might even suck up the tassels on her large rug (it didn’t). By comparison, many robot vacuums — including Dyson’s new $1,200 Spot + Scrub AI — require multiple passes to fully eradicate the same kind of mess on your floor.
What’s more, the robovac’s small, D-shaped design and the location of its ultra-fluffy brush allow it to dig into edges and corners more effectively than many of the more roundish robot vacuums, while its lower profile lets it easily get under most beds and sofas. The roomy 500ml dustbin also means you likely won’t need to empty it too often, while Dyson’s built-in handle and terrific quick-release button make removing said bin a relatively simple task when it’s time to do so.
While it is undeniably powerful, it’s worth noting that the 360 Vis Nav lacks a few features found on some of its more modern rivals. Although its navigation worked well enough during our testing, it lacks AI-powered obstacle avoidance and doesn’t come with a self-emptying dock. Battery life is also relatively short at around 65 minutes per charge. Nonetheless, if your top priority is quickly removing dust, dirt, and pet hair from carpets without multiple passes, the Dyson remains an option worth considering, especially at this discounted price.
NEWYou can now listen to Fox News articles!
We’ve often warned you about romance scams and crypto “investment” opportunities that feel too good to pass up. Now, there’s a major update that shows just how organized these operations have become.
The Department of Justice and Federal Bureau of Investigation announced a sweeping international operation that led to at least 276 arrests and the shutdown of multiple scam centers tied to cryptocurrency fraud. These networks targeted Americans and drained millions of dollars from victims.
The operation spanned continents and involved coordinated efforts by law enforcement and tech companies.
Sign up for my FREE CyberGuy Report
- Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox.
- For simple, real-world ways to spot scams early and stay protected, visit CyberGuy.com – trusted by millions who watch CyberGuy on TV daily.
- Plus, you’ll get instant access to my Ultimate Scam Survival Guide free when you join.
TOP 5 SCAMS SPREADING RIGHT NOW
The Department of Justice and FBI say international scam networks used romance and fake crypto investment schemes to steal millions from victims. (Helena Dolderer/Picture Alliance)
How the cryptocurrency scam crackdown unfolded
Authorities worked with partners around the world, including the Dubai Police and law enforcement agencies in Thailand and beyond. Together, they dismantled at least nine scam centers linked to large-scale crypto fraud.
Several suspects now face federal charges in the United States, including wire fraud and money laundering. Investigators say these operations functioned like businesses, with recruitment, management layers and structured systems designed to deceive victims.
Officials made it clear that this effort sends a message. Fraud crosses borders, and enforcement is now doing the same.
How crypto investment scams target victims
These schemes often follow a pattern known as “pig-butchering.” It is a slow, calculated tactic that builds trust before any money is involved.
A scammer may reach out through social media or a messaging app and start a casual conversation. Over time, that interaction turns more personal. In some cases, it feels like a real relationship. Once trust is established, the topic shifts toward investing, often framed as a unique crypto opportunity.
Victims are guided through setting up accounts and transferring funds to platforms that appear legitimate. The dashboards may even show fake gains to build confidence. At that point, control of the money is already gone. Funds are quickly moved through multiple accounts and eventually end up with the scammers.
Many victims are encouraged to keep going, sometimes borrowing money or taking out loans to invest more. By the time the truth becomes clear, the losses can be devastating.
How Meta Platforms, Inc. helped track scam networks
Meta Platforms, Inc. played a key role in the investigation by providing data that helped law enforcement identify and track these networks.
The company says it has taken aggressive action across its platforms. In 2025 alone, Meta removed more than 159 million scam ads and shut down 10.9 million accounts linked to scam centers. More recently, it disabled over 150,000 accounts connected to these networks as part of a coordinated enforcement effort.
“Meta is committed to combatting online fraud and scams, and we are proud to partner with law enforcement in these efforts,” Chris Sonderby, Meta’s vice president and deputy general counsel, said. “We applaud the DOJ and FBI for their leadership in holding criminal scammers accountable and protecting American consumers.”
FROM FRIENDLY TEXT TO FINANCIAL TRAP: THE NEW SCAM TREND
Federal authorities announced a sweeping international crackdown that led to at least 276 arrests tied to cryptocurrency scam centers targeting Americans. (Kurt “CyberGuy” Knutsson)
New tools to stop cryptocurrency scams in real time
Meta is also rolling out new protections across its apps to help users spot scams before they get pulled in.
On Facebook, users may see alerts tied to suspicious friend requests, especially when an account shows unusual behavior such as limited connections or inconsistent location details.
On WhatsApp, new warnings are designed to prevent scammers from linking their own devices to someone else’s account, giving users a chance to pause before approving a risky request.
Messenger is also expanding its scam detection tools. When a conversation shows patterns linked to common fraud tactics, users may receive prompts that explain the risk and suggest actions like blocking or reporting the account.
Why this cryptocurrency scam crackdown matters to you
This operation highlights how organized these scam networks have become. These are not random messages from a single person. They are coordinated groups running structured operations designed to build trust, create urgency and move money quickly.
Even with hundreds of arrests, the threat remains. New networks continue to emerge, often using the same playbook with slight changes. That means staying informed is still one of the most effective ways to protect yourself.
Ways to stay safe from cryptocurrency scams
Scammers follow familiar patterns, which means there are clear warning signs you can watch for and simple steps you can take to protect yourself.
1) Slow down unexpected connections
If someone you do not know reaches out and quickly builds a personal connection, slow things down and question the situation. Scammers rely on momentum, so taking a pause can help you spot inconsistencies.
2) Verify investment platforms before sending money
Before sending money to any investment platform, take time to verify that it is legitimate. A professional-looking website or app does not guarantee it is real. Look for independent reviews and official registration details.
3) Avoid sending crypto to unknown sources
Avoid sending cryptocurrency to individuals or platforms you cannot confirm. Once those transactions go through, they are extremely difficult to recover.
4) Watch for pressure and urgency
Be aware of pressure. If someone pushes you to act quickly or invest more, that urgency is often a warning sign.
5) Use strong antivirus protection
Strong antivirus software can help block malicious links, fake investment sites and other threats before they reach you, adding another layer of defense against scam attempts. Get my picks for the best 2026 antivirus protection winners for your Windows, Mac, Android and iOS devices at Cyberguy.com.
THE ONE THING SCAMMERS CHECK BEFORE TARGETING YOU ONLINE
Meta said it removed more than 159 million scam ads in 2025 and helped investigators track networks tied to cryptocurrency fraud. (Halfpoint/Getty Images)
6) Limit your personal data exposure
Scammers often rely on publicly available information to build trust. Reducing how much of your personal data appears online by using a data removal service can make it harder for them to target you in the first place. Check out my top picks for data removal services and get a free scan to find out if your personal information is already out on the web by visiting CyberGuy.com.
7) Strengthen your account security
It also helps to strengthen your digital security. Enable two-factor authentication (2FA) on your accounts and use trusted security tools to reduce exposure to malicious links and messages.
8) Report scams as soon as possible
If you believe you have been targeted or defrauded, report it to the FBI’s Internet Crime Complaint Center at ic3.gov as soon as possible.
Kurt’s key takeaways
This global crackdown is a meaningful step forward. It shows what can happen when law enforcement, tech companies and international partners work together. At the same time, these scams are not going away. The tactics will continue to evolve, and new networks will take the place of those that were shut down. Awareness and caution remain your strongest defenses.
CLICK HERE TO DOWNLOAD THE FOX NEWS APP
We report a lot about scams but not so much about scammers getting caught. Does this make you feel like real progress is being made in stopping them? Let us know by writing to us at CyberGuy.com.
Sign up for my FREE CyberGuy Report
- Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox.
- For simple, real-world ways to spot scams early and stay protected, visit CyberGuy.com – trusted by millions who watch CyberGuy on TV daily.
- Plus, you’ll get instant access to my Ultimate Scam Survival Guide free when you join.
Copyright 2026 CyberGuy.com. All rights reserved.
Asus’s latest gaming monitor is a little smaller than usual. The ROG Strix XG129C, announced on Friday, is a 12.3-inch touchscreen IPS display that’s intended to be a sidekick for a larger main monitor, similar to the 14.1-inch secondary display in the 2020 Asus ROG Zephyrus Duo 15. It’s a slightly smaller competitor to Corsair’s Xeneon Edge, which has a 14.5-inch display, but the same 720p resolution.
Asus says the XG129C covers 125 percent of the sRGB color gamut and 90 percent of the DCI-P3 color gamut. It also comes with a one-year subscription for the hardware monitoring tool AIDA64 Extreme, which would usually cost $65. Besides acting as a performance monitor for your PC, sidekick displays like this can also be handy as an extension for streaming or editing setups, much like Elgato’s Stream Deck.
Along with the little XG129C, Asus also announced the ROG Strix OLED XG34WCDMS, a 34-inch RGB Tandem QD-OLED gaming monitor. It features a 280Hz refresh rate and a 3440 x 1440p resolution, and, according to Asus, covers 99 percent of the DCI-P3 color gamut. Asus has not yet officially announced pricing for either display.
-
Technology1 minute agoDyson’s powerful 360 Vis Nav robovac is down to $279.99 for a limited time
-
World7 minutes agoAs Trump forces NATO to pay up, alliance races to close military gap with US
-
Politics13 minutes agoInside the US military playbook to cripple Iran if nuclear talks collapse
-
Health19 minutes agoFitness expert visits gyms nationwide, shouts out 4 clubs for ‘getting it right’
-
Sports25 minutes ago2026 INDYCAR Odds: Alex Palou Clear Favorite for Sonsio Grand Prix at IMS
-
Technology31 minutes agoGlobal scam crackdown leads to 276 arrests
-
Business37 minutes agoDisney’s ABC challenges FCC, escalating fight over free speech
-
Entertainment43 minutes agoWriters Guild staff union reaches deal, ending strike after nearly three months