Connect with us

Technology

The DJI Romo robovac had security so poor, this man remotely accessed thousands of them

Published

on

The DJI Romo robovac had security so poor, this man remotely accessed thousands of them

Sammy Azdoufal claims he wasn’t trying to hack every robot vacuum in the world. He just wanted to remote control his brand-new DJI Romo vacuum with a PS5 gamepad, he tells The Verge, because it sounded fun.

But when his homegrown remote control app started talking to DJI’s servers, it wasn’t just one vacuum cleaner that replied. Roughly 7,000 of them, all around the world, began treating Azdoufal like their boss.

He could remotely control them, and look and listen through their live camera feeds, he tells me, saying he tested that out with a friend. He could watch them map out each room of a house, generating a complete 2D floor plan. He could use any robot’s IP address to find its rough location.

“I found my device was just one in an ocean of devices,” he says.

A map like the one I saw, with robots and packets trickling in.
Image: Gonzague Dambricourt
Advertisement

On Tuesday, when he showed me his level of access in a live demo, I couldn’t believe my eyes. Ten, hundreds, thousands of robots reporting for duty, each phoning home MQTT data packets every three seconds to say: their serial number, which rooms they’re cleaning, what they’ve seen, how far they’ve traveled, when they’re returning to the charger, and the obstacles they encountered along the way.

I watched each of these robots slowly pop into existence on a map of the world. Nine minutes after we began, Azdoufal’s laptop had already cataloged 6,700 DJI devices across 24 different countries and collected over 100,000 of their messages. If you add the company’s DJI Power portable power stations, which also phone home to these same servers, Azdoufal had access to over 10,000 devices.

Azdoufal says he could remote-control robovacs and view live video over the internet.

Azdoufal says he could remote-control robovacs and view live video over the internet.

When I say I couldn’t believe my eyes at first, I mean that literally. Azdoufal leads AI strategy at a vacation rental home company; when he told me he reverse engineered DJI’s protocols using Claude Code, I had to wonder whether AI was hallucinating these robots. So I asked my colleague Thomas Ricker, who just finished reviewing the DJI Romo, to pass us its serial number.

With nothing more than that 14-digit number, Azdoufal could not only pull up our robot, he could correctly see it was cleaning the living room and had 80 percent battery life remaining. Within minutes, I watched the robot generate and transmit an accurate floor plan of my colleague’s house, with the correct shape and size of each room, just by typing some digits into a laptop located in a different country.

Here are two maps of Thomas’ living space. Above is what we pulled from DJI’s servers without authentication; below is what the owner sees on their own phone.
Screenshots by The Verge

Here’s a fuller floor plan from Gonzague Dambricourt, who tried out a read-only version of Azdoufal’s tool.
Image: Gonzague Dambricourt (X)

Separately, Azdoufal pulled up his own DJI Romo’s live video feed, completely bypassing its security PIN, then walked into his living room and waved to the camera while I watched. He also says he shared a limited read-only version of his app with Gonzague Dambricourt, CTO at an IT consulting firm in France; Dambricourt tells me the app let him remotely watch his own DJI Romo’s camera feed before he even paired it.

Advertisement

Azdoufal was able to enable all of this without hacking into DJI’s servers, he claims. “I didn’t infringe any rules, I didn’t bypass, I didn’t crack, brute force, whatever.” He says he simply extracted his own DJI Romo’s private token — the key that tells DJI’s servers that you should have access to your own data — and those servers gave him the data of thousands of other people as well. He shows me that he can access DJI’s pre-production server, as well as the live servers for the US, China, and the EU.

DJI has MQTT servers associated with the US, EU, and China. I’m not sure what VG stands for.

DJI has MQTT servers associated with the US, EU, and China. I’m not sure what VG stands for.
Screenshot by Sean Hollister / The Verge

Here’s the good news: On Tuesday, Azdoufal was not able to take our DJI Romo on a joyride through my colleague’s house, see through its camera, or listen through its microphone. DJI had already restricted that form of access after both Azdoufal and I told the company about the vulnerabilities.

And by Wednesday morning, Azdoufal’s scanner no longer had access to any robots, not even his own. It appears that DJI has plugged the gaping hole.

But this incident raises serious questions about DJI’s security and data practices. It will no doubt be used to help retroactively justify fears that led to the Chinese dronemaker getting largely forced out of the US. If Azdoufal could find these robots without even looking for them, will it protect them against people with intent to do harm? If Claude Code can spit out an app that lets you see into someone’s house, what keeps a DJI employee from doing so? And should a robot vacuum cleaner have a microphone? “It’s so weird to have a microphone on a freaking vacuum,” says Azdoufal.

It doesn’t help that when Azdoufal and The Verge contacted DJI about the issue, the company claimed it had fixed the vulnerability when it was actually only partially resolved.

Advertisement

“DJI can confirm the issue was resolved last week and remediation was already underway prior to public disclosure,” reads part of the original statement provided by DJI spokesperson Daisy Kong. We received that statement on Tuesday morning at 12:28PM ET — about half an hour before Azdoufal showed me thousands of robots, including our review unit, reporting for duty.

Not just robovacs — DJI’s power stations also use this system.

Not just robovacs — DJI’s power stations also use this system.
Screenshot by Sean Hollister / The Verge

To be clear, it’s not surprising that a robot vacuum cleaner with a smartphone app would phone home to the cloud. For better or for worse, users currently expect those apps to work outside of their own homes. Unless you’ve built a tunnel into your own home network, that means relaying the data through cloud servers first.

But people who put a camera into their home expect that data to be protected, both in transit and once it reaches the server. Security professionals should know that — but as soon as Azdoufal connected to DJI’s MQTT servers, everything was visible in cleartext. If DJI has merely cut off one particular way into those servers, that may not be enough to protect them if hackers find another way in.

Unfortunately, DJI is far from the only smart home company that’s let people down on security. Hackers took over Ecovacs robot vacuums to chase pets and yell racist slurs in 2024. In 2025, South Korean government agencies reported that Dreame’s X50 Ultra had a flaw that could let hackers view its camera feed in real time, and that another Ecovacs and a Narwal robovac could let hackers view and steal photos from the devices. (Korea’s own Samsung and LG vacuums received high marks, and a Roborock did fine.)

It’s not just vacuums, of course. I still won’t buy a Wyze camera, despite its new security ideas, because that company tried to sweep a remote access vulnerability under the rug instead of warning its customers. I would find it hard to trust Anker’s Eufy after it lied to us about its security, too. But Anker came clean, and sunlight is a good disinfectant.

Advertisement

DJI is not being exceptionally transparent about what happened here, but it did answer almost all our questions. In a new statement to The Verge via spokesperson Daisy Kong, the company now admits “a backend permission validation issue” that could have theoretically let hackers see live video from its vacuums, and it admits that it didn’t fully patch that issue until after we confirmed that issues were still present.

Here’s that whole statement:

DJI identified a vulnerability affecting DJI Home through internal review in late January and initiated remediation immediately. The issue was addressed through two updates, with an initial patch deployed on February 8 and a follow-up update completed on February 10. The fix was deployed automatically, and no user action is required.

The vulnerability involved a backend permission validation issue affecting MQTT-based communication between the device and the server. While this issue created a theoretical potential for unauthorized access to live video of ROMO device, our investigation confirms that actual occurrences were extremely rare. Nearly all identified activity was linked to independent security researchers testing their own devices for reporting purposes, with only a handful of potential exceptions.

The first patch addressed this vulnerability but had not been applied universally across all service nodes. The second patch re-enabled and restarted the remaining service nodes. This has now been fully resolved, and there is no evidence of broader impact. This was not a transmission encryption issue. ROMO device-to-server communication was not transmitted in cleartext and has always been encrypted using TLS. Data associated with ROMO devices, such as those in Europe, is stored on U.S.-based AWS cloud infrastructure.

DJI maintains strong standards for data privacy and security and has established processes for identifying and addressing potential vulnerabilities. The company has invested in industry-standard encryption and operates a longstanding bug bounty program. We have reviewed the findings and recommendations shared by the independent security researchers who contacted us through that program as part of our standard post-remediation process. DJI will continue to implement additional security enhancements as part of its ongoing efforts.

Advertisement

Azdoufal says that even now, DJI hasn’t fixed all the vulnerabilities he’s found. One of them is the ability to view your own DJI Romo video stream without needing its security pin. Another one is so bad I won’t describe it until DJI has more time to fix it. DJI did not immediately promise to do so.

And both Azdoufal and security researcher Kevin Finisterre tell me it’s not enough for the Romo to send encrypted data to a US server, if anyone inside that server can easily read it afterward. “A server being based in the US in no way, shape, or form prevents .cn DJI employees from access,” Finisterre tells me. That seems evident, as Azdoufal lives in Barcelona and was able to see devices in entirely different regions.

“Once you’re an authenticated client on the MQTT broker, if there are no proper topic-level access controls (ACLs), you can subscribe to wildcard topics (e.g., #) and see all messages from all devices in plaintext at the application layer,” says Azdoufal. “TLS does nothing to prevent this — it only protects the pipe, not what’s inside the pipe from other authorized participants.”

When I tell Azdoufal that some may judge him for not giving DJI much time to resolve the issues before going public, he notes that he didn’t hack anything, didn’t expose sensitive data, and isn’t a security professional. He says he was simply livetweeting everything that happened while trying to control his robot with a PS5 gamepad.

“Yes, I don’t follow the rules, but people stick to the bug bounty program for money. I fucking don’t care, I just want this fixed,” he says. “Following the rules to the end would probably make this breach happen for a way longer time, I think.”

Advertisement

He doesn’t believe that DJI truly discovered these issues by itself back in January, and he’s annoyed the company only ever responded to him robotically in DMs on X, instead of answering his emails.

But he is happy about one thing: He can indeed control his Romo with a PlayStation or Xbox gamepad.

Follow topics and authors from this story to see more like this in your personalized homepage feed and to receive email updates.

Technology

Microsoft’s carbon emissions went up 25 percent last year

Published

on

Microsoft’s carbon emissions went up 25 percent last year

Microsoft may once again be struggling to keep up with its own climate goals, according to its 2026 sustainability report. As reported by GeekWire, the report states that Microsoft’s carbon emissions increased 25 percent in 2025, totalling 34 million metric tons “without select interventions.” Microsoft says this was “driven primarily by the expansion of our datacenter infrastructure,” as well as the company’s decision last February to stop purchasing “non-additional, unbundled renewable energy certificates.”

Several years ago, Microsoft set itself a goal to be carbon negative by 2030, meaning it will need to remove more carbon emissions than it produces. This isn’t the first time Microsoft has faced setbacks toward accomplishing that goal, as its 2024 sustainability report showed a similar rise in climate pollution. This year’s report admits that, “While AI infrastructure is driving demand for energy, water, land, and materials, sustainability solutions are not scaling fast enough to meet demand.”

Continue Reading

Technology

Google turns old phones into cloud servers

Published

on

Google turns old phones into cloud servers

NEWYou can now listen to Fox News articles!

That old phone sitting in your drawer may have more life left in it than you think. You may look at it and see a dead battery, an outdated camera or a screen that no longer feels worth using. Google and researchers at the University of California San Diego see something else: a tiny computer that may still have useful processing power.

Their idea is called phone cluster computing. Instead of treating retired smartphones as electronic waste, researchers remove the motherboard and redeploy it as part of a low-carbon computing system.

Google says UC San Diego plans to launch a data center built from 2,000 Pixel smartphones in fall 2026. The goal is to provide low-cost cloud computing for students and researchers while reducing the need for newly manufactured server hardware.

That means the next chapter for an old phone may not be a junk drawer. It may be a server rack.

Advertisement

YOU COULD GET PAID FROM GOOGLE’S ANDROID DATA LAWSUIT

Researchers plan to launch a 2,000-phone data center at UC San Diego in fall 2026 to support students and research workloads. (Kurt “CyberGuy” Knutsson)

Sign up for my FREE CyberGuy Report

  • Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox.
  • For simple, real-world ways to spot scams early and stay protected, visit CyberGuy.com – trusted by millions who watch CyberGuy on TV daily.
  • Plus, you’ll get instant access to my Ultimate Scam Survival Guide free when you join.

What is phone cluster computing?

Phone cluster computing takes retired smartphones and turns their core hardware into a computing platform. The process starts by stripping each phone down to the motherboard. That board holds the processor, memory and storage. The display, battery, cameras, chassis and other phone-specific parts are removed.

That step is important because a full phone does not belong in a data center. Batteries can create safety issues. Screens and cameras waste space. The motherboard is the part that still offers computing value.

Once the board is removed, researchers load a general-purpose Linux system onto it. Android already runs on Linux at its core, but Android is built for mobile apps and personal devices. A data center needs something more flexible for cloud workloads. After that, the phone boards can be grouped into clusters. Many small boards then work together like a collection of tiny servers.

Advertisement

Why Google wants old Pixel phones for cloud computing

The AI boom has created a huge appetite for computing power. Data centers need more chips, more electricity and more cooling. At the same time, billions of phones fall out of use around the world.

This Google-backed project takes that conversation in a different direction by asking whether some useful computing can come from hardware we already made.

The project focuses on embodied carbon. That means the emissions created before a device ever turns on. Mining, manufacturing and shipping all add to that carbon footprint.

If a phone motherboard already exists, reusing it can avoid some of the environmental cost tied to manufacturing new hardware. Google says the motherboard accounts for about half of a phone’s embodied carbon, which makes it the most valuable part to recover.

How retired smartphones become low-carbon servers

You cannot plug a pile of old phones into a rack and call it a data center. The process requires careful teardown, new software and a way to manage many boards at once. Google says the project uses containerized applications managed by Kubernetes. That helps coordinate the work across many devices.

Advertisement

The phones are organized into self-managing clusters of about 25 to 50 boards. Each board works as a small Linux machine. Together, they can handle tasks that would otherwise run on traditional cloud servers. That does not make one phone equal to one server. A server has many more processor cores, more memory and data center-grade hardware. A phone board has fewer resources and tighter limits. Still, some jobs do not need a giant machine. They need enough compute to run efficiently without wasting resources.

GOOGLE ENGINEER STOLE AI SECRETS FOR CHINA, SENATE HEARS IN EXPLOSIVE TESTIMONY

Google and UC San Diego are testing a cloud computing system built from retired Pixel phone motherboards, giving old smartphones a possible second life. (Google)

Can old phone processors handle cloud workloads?

The technical case is stronger than you may expect. Google says the single-threaded performance of modern smartphone performance cores can match or beat the per-core performance of some modern multicore servers. In one comparison, a 2023 Pixel Fold was tested against an ASUS RS720A-E11 server using SPEC benchmarks. The Pixel Fold’s performance cores beat the baseline data center server core on many of the tests. That sounds impressive, but there is an important catch.

A smartphone board has a smaller memory limit and fewer cores. It also lacks the management tools and hardware durability that servers are built around. So the project needs the right workloads.

Advertisement

UC San Diego is starting with educational and research computing. That makes sense because many classroom tasks can run on small cloud instances. Google says early experiments showed that a 20-phone cluster could support peak submission rates for a class of more than 75 students. The grading latency also came in below the default AWS backend used in the comparison.

Why UC San Diego is testing a 2,000 Pixel phone data center

UC San Diego plans to use the 2,000-phone cluster to support computer science classes and research workloads. Google says the deployment could support about 100 classes at once. It also describes the system as providing about 50 server-equivalents worth of compute at a fraction of the usual cost.

For a university, that could be a major advantage. Cloud computing costs can rise quickly, especially when many students submit assignments at the same time. If a reused phone cluster can handle some of that load, schools may save money while reducing demand for newly manufactured servers.

This also gives researchers a chance to test phone-based computing at scale. A small lab demo can look promising. A 2,000-board deployment will show much more about reliability, maintenance and day-to-day performance.

Phone cluster computing still has big limits

Phone cluster computing sounds promising, but it still has a lot to prove. Your smartphone was made for daily use in your hand, not nonstop work inside a data center. Data center servers are built to run for years with steady cooling, fast repairs and constant monitoring. Phone motherboards come from devices made for pockets, backpacks and kitchen counters. That alone raises some big questions.

Advertisement

The boards could fail faster than expected. Cooling may also become a challenge once thousands of tiny processors run side by side. Then there is the labor problem, because someone has to safely remove batteries, screens and other parts before the boards can be reused. Cost will be the deciding factor. If teardown, maintenance and replacement work get too expensive, this idea may stay in the research lab.

Phone clusters also will not replace the massive GPU systems that power advanced AI training. They make more sense for smaller cloud jobs, classroom tools and research tasks that fit within smartphone hardware limits. That still leaves plenty of useful work. After all, not every cloud task needs the newest chip.

Why old smartphones could help cut e-waste

The world’s e-waste problem is growing fast. The Global E-waste Monitor projects that electronic waste could climb to 82 million tonnes by 2030, while formal collection and recycling rates are expected to fall to 20%. Old phones are a big part of that problem because many never make it to a proper recycling program. They sit in drawers, land in closets or get tossed out with valuable parts still inside. Even when a phone no longer feels useful to you, its processor, memory and storage may still have work left to do.

CyberGuy has covered related second-life ideas before, including old smartphones being turned into tiny data centers and repurposed EV batteries helping power AI data centers. The common theme is hard to ignore. Some of the hardware already in circulation may still have useful work left to do.

FIVE DATA BROKER OPT-OUT MYTHS THAT LEAVE RETIREES EXPOSED

Advertisement

Google says reusing smartphone motherboards could cut hardware waste and reduce the carbon cost of building new data center servers. (Yawar Nazir/Getty Images)

How to safely recycle or reuse your old phone

This research does not mean you should toss your old phone into a random donation bin tomorrow. Before you recycle, donate, trade in or sell an old phone, you need to protect your data. Back up anything you want to keep. Then sign out of your accounts and securely wipe the device.

CyberGuy has a helpful guide on how to securely get rid of your old cell phone. Privacy comes first whenever you part with a device.

You can also consider trade-in programs, certified refurbishers or reputable electronics recycling programs. If the phone still works, buying refurbished can also keep devices in use longer. CyberGuy has covered what to know before buying refurbished electronics, which is helpful if you want to save money without taking a gamble. The key is to avoid letting old devices sit forgotten forever. A phone in a drawer helps no one.

What this means to you

That old phone in your drawer may not be as useless as it looks. Even if the battery is tired or the camera feels outdated, the processor inside may still have real value.

Advertisement

Now, you probably will not be mailing your old phone to a Google data center anytime soon. Still, this project points to a bigger shift in how we think about retired tech. Instead of sending every old device straight to recycling or letting it collect dust, companies, schools and researchers may find smarter ways to reuse the parts that still work.

There is also a money lesson here. If your current phone still runs well, you may not need to rush into an upgrade just because a newer model comes out. A battery replacement, trade-in or refurbished option could save you money while keeping perfectly good hardware in use longer. To me, that is the real takeaway. The phone you forgot about could possibly still have a job to do.

Watch the CyberGuy Live replay: Lock Down Your Phone in 30 Minutes

Your phone holds your email, passwords, photos, banking apps and personal data. In this free CyberGuy Live replay, Kurt the CyberGuy walks you step by step through simple phone security fixes you can do at your own pace. You’ll learn how to improve your privacy settings, spot the latest phone scams, use trusted security tools and walk away with a simple checklist to stay protected. Watch the replay and get our checklist here: CyberGuyLive.com.

Kurt’s key takeaways

Google and UC San Diego are testing how to turn retired Pixel phone motherboards into a low-carbon cloud computing platform. The project could give old smartphones a second life while reducing the need for newly manufactured servers. That is important as AI data centers keep demanding more computing power and more electricity. The first major test is expected in fall 2026 with a 2,000-phone data center at UC San Diego. If it works, the cluster could support students and researchers at a lower cost than traditional cloud infrastructure. However, this idea still has to prove it can handle the grind of daily use. Reliability, cooling, teardown labor and maintenance will determine whether phone cluster computing can grow beyond just research. To me, the most relatable part is sitting in your junk drawer. That old phone may seem useless, but its processor could still be powerful enough to help run cloud jobs. Maybe the future of computing starts with hardware we already forgot we owned.

Would you feel good knowing your old phone could help power cloud computing? Let us know by writing to us at CyberGuy.com.

Advertisement

CLICK HERE TO DOWNLOAD THE FOX NEWS APP

Sign up for my FREE CyberGuy Report

  • Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox.
  • For simple, real-world ways to spot scams early and stay protected, visit CyberGuy.com – trusted by millions who watch CyberGuy on TV daily.
  • Plus, you’ll get instant access to my Ultimate Scam Survival Guide free when you join.

Copyright 2026 CyberGuy.com. All rights reserved.

Advertisement
Continue Reading

Technology

Google’s Nest Thermostat has hit its best price of the year

Published

on

Google’s Nest Thermostat has hit its best price of the year

If you’re looking for a relatively affordable way to cut down on cooling costs, Google’s Nest Thermostat can help. It’s packed with smart controls and energy-saving features, and right now it’s on sale in white for $79 ($50 off), which is its best price of the year, at Amazon.

The smart thermostat is quick to install and makes it easy to adjust your home’s temperature whether you’re relaxing in bed or on your way home thanks to the Google Home app. You can also create schedules and control it with your voice using Google Assistant, Alexa, or another Matter-compatible voice assistant.

Once it’s set up, the Nest Thermostat can automatically turn the temperature down when you’re away to help reduce unnecessary energy use, while Google’s Savings Finder feature suggests additional ways to save over time. It also monitors your HVAC system and can alert you if something doesn’t seem right, making it easier to stay on top of maintenance before small issues become bigger, more expensive ones. If you’re eligible, Nest Renew can also automatically shift some of your heating and cooling to times when electricity is cleaner or cheaper.

That said, this is Google’s entry-level model from 2020, so you do miss out on some of the premium features found on the latest Nest Learning Thermostat. Unlike the flagship version, it won’t learn your schedule automatically over time, for example, and lacks support for Nest Temperature Sensors that let you prioritize the temperature in a specific room. Even so, if all you want is an easy way to adjust your home’s temperature remotely and potentially lower your energy bills, the Nest Thermostat is still a solid investment at this price.

Continue Reading
Advertisement

Trending