Sammy Azdoufal claims he wasn’t trying to hack every robot vacuum in the world. He just wanted to remote control his brand-new DJI Romo vacuum with a PS5 gamepad, he tells The Verge, because it sounded fun.
Technology
The DJI Romo robovac had security so poor, this man remotely accessed thousands of them
But when his homegrown remote control app started talking to DJI’s servers, it wasn’t just one vacuum cleaner that replied. Roughly 7,000 of them, all around the world, began treating Azdoufal like their boss.
He could remotely control them, and look and listen through their live camera feeds, he tells me, saying he tested that out with a friend. He could watch them map out each room of a house, generating a complete 2D floor plan. He could use any robot’s IP address to find its rough location.
“I found my device was just one in an ocean of devices,” he says.
On Tuesday, when he showed me his level of access in a live demo, I couldn’t believe my eyes. Ten, hundreds, thousands of robots reporting for duty, each phoning home MQTT data packets every three seconds to say: their serial number, which rooms they’re cleaning, what they’ve seen, how far they’ve traveled, when they’re returning to the charger, and the obstacles they encountered along the way.
I watched each of these robots slowly pop into existence on a map of the world. Nine minutes after we began, Azdoufal’s laptop had already cataloged 6,700 DJI devices across 24 different countries and collected over 100,000 of their messages. If you add the company’s DJI Power portable power stations, which also phone home to these same servers, Azdoufal had access to over 10,000 devices.
When I say I couldn’t believe my eyes at first, I mean that literally. Azdoufal leads AI strategy at a vacation rental home company; when he told me he reverse engineered DJI’s protocols using Claude Code, I had to wonder whether AI was hallucinating these robots. So I asked my colleague Thomas Ricker, who just finished reviewing the DJI Romo, to pass us its serial number.
With nothing more than that 14-digit number, Azdoufal could not only pull up our robot, he could correctly see it was cleaning the living room and had 80 percent battery life remaining. Within minutes, I watched the robot generate and transmit an accurate floor plan of my colleague’s house, with the correct shape and size of each room, just by typing some digits into a laptop located in a different country.
Separately, Azdoufal pulled up his own DJI Romo’s live video feed, completely bypassing its security PIN, then walked into his living room and waved to the camera while I watched. He also says he shared a limited read-only version of his app with Gonzague Dambricourt, CTO at an IT consulting firm in France; Dambricourt tells me the app let him remotely watch his own DJI Romo’s camera feed before he even paired it.
Azdoufal was able to enable all of this without hacking into DJI’s servers, he claims. “I didn’t infringe any rules, I didn’t bypass, I didn’t crack, brute force, whatever.” He says he simply extracted his own DJI Romo’s private token — the key that tells DJI’s servers that you should have access to your own data — and those servers gave him the data of thousands of other people as well. He shows me that he can access DJI’s pre-production server, as well as the live servers for the US, China, and the EU.
Here’s the good news: On Tuesday, Azdoufal was not able to take our DJI Romo on a joyride through my colleague’s house, see through its camera, or listen through its microphone. DJI had already restricted that form of access after both Azdoufal and I told the company about the vulnerabilities.
And by Wednesday morning, Azdoufal’s scanner no longer had access to any robots, not even his own. It appears that DJI has plugged the gaping hole.
But this incident raises serious questions about DJI’s security and data practices. It will no doubt be used to help retroactively justify fears that led to the Chinese dronemaker getting largely forced out of the US. If Azdoufal could find these robots without even looking for them, will it protect them against people with intent to do harm? If Claude Code can spit out an app that lets you see into someone’s house, what keeps a DJI employee from doing so? And should a robot vacuum cleaner have a microphone? “It’s so weird to have a microphone on a freaking vacuum,” says Azdoufal.
It doesn’t help that when Azdoufal and The Verge contacted DJI about the issue, the company claimed it had fixed the vulnerability when it was actually only partially resolved.
“DJI can confirm the issue was resolved last week and remediation was already underway prior to public disclosure,” reads part of the original statement provided by DJI spokesperson Daisy Kong. We received that statement on Tuesday morning at 12:28PM ET — about half an hour before Azdoufal showed me thousands of robots, including our review unit, reporting for duty.
To be clear, it’s not surprising that a robot vacuum cleaner with a smartphone app would phone home to the cloud. For better or for worse, users currently expect those apps to work outside of their own homes. Unless you’ve built a tunnel into your own home network, that means relaying the data through cloud servers first.
But people who put a camera into their home expect that data to be protected, both in transit and once it reaches the server. Security professionals should know that — but as soon as Azdoufal connected to DJI’s MQTT servers, everything was visible in cleartext. If DJI has merely cut off one particular way into those servers, that may not be enough to protect them if hackers find another way in.
Unfortunately, DJI is far from the only smart home company that’s let people down on security. Hackers took over Ecovacs robot vacuums to chase pets and yell racist slurs in 2024. In 2025, South Korean government agencies reported that Dreame’s X50 Ultra had a flaw that could let hackers view its camera feed in real time, and that another Ecovacs and a Narwal robovac could let hackers view and steal photos from the devices. (Korea’s own Samsung and LG vacuums received high marks, and a Roborock did fine.)
It’s not just vacuums, of course. I still won’t buy a Wyze camera, despite its new security ideas, because that company tried to sweep a remote access vulnerability under the rug instead of warning its customers. I would find it hard to trust Anker’s Eufy after it lied to us about its security, too. But Anker came clean, and sunlight is a good disinfectant.
DJI is not being exceptionally transparent about what happened here, but it did answer almost all our questions. In a new statement to The Verge via spokesperson Daisy Kong, the company now admits “a backend permission validation issue” that could have theoretically let hackers see live video from its vacuums, and it admits that it didn’t fully patch that issue until after we confirmed that issues were still present.
Here’s that whole statement:
DJI identified a vulnerability affecting DJI Home through internal review in late January and initiated remediation immediately. The issue was addressed through two updates, with an initial patch deployed on February 8 and a follow-up update completed on February 10. The fix was deployed automatically, and no user action is required.
The vulnerability involved a backend permission validation issue affecting MQTT-based communication between the device and the server. While this issue created a theoretical potential for unauthorized access to live video of ROMO device, our investigation confirms that actual occurrences were extremely rare. Nearly all identified activity was linked to independent security researchers testing their own devices for reporting purposes, with only a handful of potential exceptions.
The first patch addressed this vulnerability but had not been applied universally across all service nodes. The second patch re-enabled and restarted the remaining service nodes. This has now been fully resolved, and there is no evidence of broader impact. This was not a transmission encryption issue. ROMO device-to-server communication was not transmitted in cleartext and has always been encrypted using TLS. Data associated with ROMO devices, such as those in Europe, is stored on U.S.-based AWS cloud infrastructure.
DJI maintains strong standards for data privacy and security and has established processes for identifying and addressing potential vulnerabilities. The company has invested in industry-standard encryption and operates a longstanding bug bounty program. We have reviewed the findings and recommendations shared by the independent security researchers who contacted us through that program as part of our standard post-remediation process. DJI will continue to implement additional security enhancements as part of its ongoing efforts.
Azdoufal says that even now, DJI hasn’t fixed all the vulnerabilities he’s found. One of them is the ability to view your own DJI Romo video stream without needing its security pin. Another one is so bad I won’t describe it until DJI has more time to fix it. DJI did not immediately promise to do so.
And both Azdoufal and security researcher Kevin Finisterre tell me it’s not enough for the Romo to send encrypted data to a US server, if anyone inside that server can easily read it afterward. “A server being based in the US in no way, shape, or form prevents .cn DJI employees from access,” Finisterre tells me. That seems evident, as Azdoufal lives in Barcelona and was able to see devices in entirely different regions.
“Once you’re an authenticated client on the MQTT broker, if there are no proper topic-level access controls (ACLs), you can subscribe to wildcard topics (e.g., #) and see all messages from all devices in plaintext at the application layer,” says Azdoufal. “TLS does nothing to prevent this — it only protects the pipe, not what’s inside the pipe from other authorized participants.”
When I tell Azdoufal that some may judge him for not giving DJI much time to resolve the issues before going public, he notes that he didn’t hack anything, didn’t expose sensitive data, and isn’t a security professional. He says he was simply livetweeting everything that happened while trying to control his robot with a PS5 gamepad.
“Yes, I don’t follow the rules, but people stick to the bug bounty program for money. I fucking don’t care, I just want this fixed,” he says. “Following the rules to the end would probably make this breach happen for a way longer time, I think.”
He doesn’t believe that DJI truly discovered these issues by itself back in January, and he’s annoyed the company only ever responded to him robotically in DMs on X, instead of answering his emails.
But he is happy about one thing: He can indeed control his Romo with a PlayStation or Xbox gamepad.
Follow topics and authors from this story to see more like this in your personalized homepage feed and to receive email updates.
This is The Stepback, a weekly newsletter breaking down one essential story from the tech world. For more stories on Big Tech versus politics in Washington, DC, follow Tina Nguyen and read Regulator. The Stepback arrives in our subscribers’ inboxes at 8AM ET. Opt in for The Stepback here.
A long time ago, in 2004, the Federal Communications Commission laid down a rule designed to prevent a monopoly: No one company could broadcast to more than 39 percent of all the TV households in the United States. But then Donald Trump returned to the White House in 2025. Brendan Carr became FCC chairman and immediately kicked off a deregulatory initiative called “Delete, Delete, Delete,” in which Carr vowed to get rid of “every rule, regulation, or guidance document” that placed “unnecessary regulatory burdens” on companies. And within months, Nexstar, which already owned over 200 stations nationwide and had hit its ownership cap, announced that it had entered an agreement to purchase its rival, Tegna, for an estimated $6.2 billion — something that could only happen, however, if Carr agreed to change the FCC’s rules.
If you ask Nexstar why it’s pursuing a merger that would give it control of over 80 percent of the market, it’d point to Big Tech as the culprit. As advertisers take their money to Netflix, YouTube, and other digital streamers, linear television — the local television news, the broadcast affiliates, the basic cable networks — has suffered, forcing them to consolidate and shut down newsrooms. In that sense, Nexstar argued, the merger would help it compete for ad revenue with the streaming services, thereby building more robust local journalism. However, the merger’s opponents believe that this is a basic violation of antitrust laws and principles — not to mention the danger of letting one company have editorial control over the vast majority of America’s local television newsrooms.
But the second Trump administration handles regulatory hurdles a little differently than others, and companies have found that it’s faster to get what they want if they bypass the agencies and talk (read: suck up) to Trump directly. And when Nexstar did so publicly, it confirmed its opponents’ fears about political influence. Last September, in the fraught weeks after the fatal shooting of Charlie Kirk, Nexstar announced it would no longer broadcast Jimmy Kimmel Live! — a response to Carr’s claim that the FCC could revoke the broadcast licenses of TV stations that aired the comedian’s comments related to Kirk. It briefly led to ABC suspending Kimmel’s show, though ABC and Nexstar soon reversed their decision after a massive nationwide backlash and an ABC boycott.
However, Nexstar’s loyalty to Trump himself was not enough to win over his most powerful MAGA supporters. Newsmax, a cable news network with a deeply pro-Trump bent, and its CEO, longtime Trump donor and outside adviser Chris Ruddy, filed a lawsuit objecting to the merger, claiming that Nexstar’s anticompetitive behavior would force channels like his off the air with steeper carriage fees. He specifically accused Nexstar of jacking up the fees for stations to carry Newsmax, while offering its similar network, NewsNation, for much cheaper.
The Nexstar-Tegna MAGA makeover then took a more subtle turn. NewsNation hired the pro-Trump Fox News commentator Katie Pavlich and gave her her own primetime show. (The network had already hired a slew of former Fox journalists as well.) Around this time, a political group called Keep News Local began airing ads in DC that seemed to directly address Trump, praising him for having “defeated the fake news monopolies before through independent voices and local news” and claiming that the Nexstar-Tegna merger was “crucial for MAGA to survive.” (A little self-contradictory and mildly illogical, but it’s the kind of stuff that Trump likes to hear.) When I last spoke to Ruddy in February, I asked if he’d worried that the dark money going into Keep News Local would sway Trump, and he chose his words carefully: “I think at the end of the day, Trump makes up his own mind. I’m not sure he’s going to be influenced by an ad campaign.”
For months, no one could accurately predict if Trump would override Carr’s wishes and bless the deal, as he’s often done for other companies facing regulatory scrutiny. Trump’s Truth Social posts about the merger have been a good indicator of how precarious the merger has been and who’s been able to influence him at any given moment: Last November, he blasted the deal as an “EXPANSION OF THE FAKE NEWS NETWORKS,” but by February, he posted that the deal would “help knock out the Fake News because there will be more competition.”
Several current and former NewsNation employees told Status at the time that they feared that the parent company was steering NewsNation away from the centrist, “unbiased” reputation they’d long cultivated. “A lot of people within the network believe that the network has gone hard right to appeal to Trump and Brendan Carr,” one former employee told Status. Coincidentally, days before the deal was finalized, NewsNation began ramping up its explicitly pro-Trump content, tweeting a clip of CNN’s Kaitlan Collins being berated by White House press secretary Karoline Leavitt, along with the comment “Just going to leave this here.”
When Trump greenlit the merger in mid-March, but before the FCC’s three commissioners could vote on whether to waive the ownership cap, Nexstar and Tegna immediately announced a new complication: Tegna and Nexstar had already started merging. Tegna was no more and CEO Mike Steib had already sold $22.6 million of his company stock.
In response, eight state attorneys general and satellite TV operator DirectTV, which had already been planning to file separate federal antitrust suits against the merger, asked US District Judge Troy Nunley in Sacramento for an emergency restraining order that would prevent Nexstar from taking over Tegna’s assets. The order was granted on March 27th and on April 17, Nunley issued a formal injunction, ruling that Tegna must be operated as an independent financial entity, and Nexstar must take steps to ensure it remains separate from Tegna before further legal proceedings.
For now, Nunley has allowed the states and DirecTV to combine their cases, in which both argue that the merger was a clear violation of antitrust laws and would crush news competition.
Meanwhile, Republicans and Democrats in Congress are furious at Carr. On March 30th, Sens. Ted Cruz (R-TX) and Maria Cantwell (D-WA) sent the chairman a joint letter admonishing him for allowing his staff to waive the regulations to let the merger pass, instead of having the full commission of political appointees — one from the Biden administration — vote on it. “Under these circumstances,” they wrote, “any subsequent vote risks being largely procedural rather than a genuine exercise of commission responsibility.” They also pointed out that their hasty approval without the commission’s approval would now complicate the merger financially: “In a transaction of this scale, where integration proceeds quickly and unwinding becomes impractical, delay in judicial review can insulate the decision from meaningful challenge.” Notably, though they share similar ideological views on the media and deregulation, Cruz and Carr have frequently clashed over how to achieve their objectives. Cruz previously slammed Carr as a “mafioso,” for instance, for the way he’d used the FCC to silence Kimmel.
But even if it’s legally paused, the journalistic merger’s fallout has started to hit local news. NPR’s David Folkenfirk reported on Tuesday that Tegna journalists had already started receiving orders to stop broadcasting content from major broadcasters like ABC, CBS, and NBC — media outlets being targeted by Carr — and instead begin airing content from Nexstar’s NewsNation.
- Brendan Carr’s views on using the FCC to punish major broadcasters was outlined pretty extensively in the chapter he authored in Project 2025, an initiative led by the conservative Heritage Foundation on how to reform the federal bureaucracy to be more favorable to the American right.
- Exactly how much is local television losing to digital? According to industry publication NewscastStudio, in an investor call defending the purchase, Nexstar chairman Perry Sook cited a market research study from Borrell Associates, which found that “digital advertising in local markets exceeds $100 billion, compared to just $25 billion for local linear television advertising, with nearly two-thirds of digital ad dollars flowing to five major technology companies.”
- If you want to see exactly how much Keep Local News was trying to suck up to Trump, the ads are archived here.
- The Vergecast has a long-running segment called “Brendan Carr is a dummy.”
- The LA Times reported on last week’s preliminary hearings in front of Nunley, and how lawyers for Nexstar, the states, and DirecTV plan to argue their case.
- The Desk has insights from Kirk Varner, a former TV newsroom director, on how the case could go.
- Andrew Liptak covered Nexstar’s previous acquisition sprees for The Verge in 2018.
- Adi Robertson walks through exactly how the Kimmel suspension was an attack on free speech.
- Brendan Carr keeps trying to convince people that he’s not threatening to suspend broadcast licenses for reporting on unfavorable things like the Iran war, reports Lauren Feiner.
- The Vergecast has a long-running segment called “Brendan Carr is a dummy.”
Follow topics and authors from this story to see more like this in your personalized homepage feed and to receive email updates.
NEWYou can now listen to Fox News articles!
A Chinese-built humanoid robot beat the human half-marathon world record in Beijing on Sunday, marking a breakthrough moment in a high-stakes global race for technological dominance.
A robot developed by Chinese smartphone maker Honor completed the 21-kilometer (13-mile) race in 50 minutes and 26 seconds, beating the human record of about 57 minutes set by Uganda’s Jacob Kiplimo last month.
The performance marked a dramatic improvement from last year’s inaugural event, when the top robot finished in more than 2 hours and 40 minutes.
Dozens of humanoid robots competed alongside about 12,000 human runners, navigating a parallel course to avoid collisions.
CHINA’S COMPACT HUMANOID ROBOT SHOWS OFF BALANCE AND FLIPS
A robot crosses the finish line in the Beijing E-Town Half Marathon and Humanoid Robot Half-Marathon held in the outskirts of Beijing on April 19, 2026. (Andy Wong/AP)
Nearly half of the robots ran using autonomous navigation, while others relied on remote control, organizers said.
Despite the breakthrough, the race still saw glitches, with some robots stumbling at the start or veering into barriers.
Engineers said the winning robot was designed to mimic elite athletes, featuring long legs of about 37 inches and advanced cooling systems to sustain performance.
US TARGETS CHINESE ROBOTS OVER SECURITY FEARS
“Looking ahead, some of these technologies might be transferred to other areas,” said Du Xiaodi, an engineer with the Honor team. “For example, structural reliability and liquid-cooling technology could be applied in future industrial scenarios.”
Team members celebrate next to the winning Honor Lightning humanoid robot during a medal ceremony after the second Beijing E-Town Half Marathon and Humanoid Robot Half Marathon in Beijing, China, on April 19, 2026. (Maxim Shemetov/Reuters)
Spectators reacted with a mix of amazement and unease at the machines’ rapid progress.
“It’s the first time robots have surpassed humans, and that’s something I never imagined,” Sun Zhigang, who attended the event with his son, told The Associated Press.
HUMANOID ROBOTS HIT MASS PRODUCTION IN CHINA
“The robots’ speed far exceeds that of humans,” spectator Wang Wen told the outlet. “This may signal the arrival of sort of a new era.”
A robot starts alongside human runners at the Beijing E-Town Half Marathon and Humanoid Half Marathon on the outskirts of Beijing on April 19, 2026. (Ng Han Guan/AP)
Experts say the race highlights China’s accelerating push to dominate robotics and artificial intelligence, even as widespread commercial use of humanoid robots remains limited, according to Reuters. The experts said Chinese robotics firms are still working to develop the AI software needed for humanoids to match the efficiency of human factory workers.
Runners take pictures of a humanoid robot during the second Beijing E-Town Half Marathon and Humanoid Robot Half Marathon in Beijing on April 19, 2026. (Haruna Furuhashi/Pool Photo via AP)
“The future will definitely be an AI era,” engineering student Chu Tianqi told Reuters. “If people don’t know how to use AI now … they will definitely become obsolete.”
CLICK HERE TO DOWNLOAD THE FOX NEWS APP
The competition underscores a broader technological race between China and the United States, as Beijing invests heavily in advanced robotics as part of its long-term economic strategy.
The Associated Press and Reuters contributed to this report.
According to Nikkei Asia, even as suppliers ramp up DRAM production, manufacturers are only expected to meet 60 percent of demand by the end of 2027. SK Group chairman has even said that shortages could last until 2030.
The world’s largest memory makers — Samsung, SK Hynix, and Micron — are all working to add new fabrication capacity, but almost none of it will be online until at least 2027, if not 2028. SK opened a fab in Cheongju in February, but that is the only increase in production among the three for 2026.
Nikkei says that production would need to increase by 12 percent a year in 2026 and 2027 to meet demand. But according to Counterpoint Research, an increase of only 7.5 percent is planned.
The new facilities will primarily focus on producing high-bandwidth memory (HBM), which is used in AI data centers. With the companies already prioritizing HBM over general-purpose DRAM used in computers and phones, it’s not clear how much these new fabs will help alleviate the price crunch facing consumer electronics. Everything from phones and laptops, to VR headsets and gaming handhelds have seen price increases due to the RAM shortage.
-
Detroit, MI1 hour agoGame 21: Tigers at Red Sox, Garrett Crochet battles both Detroit and the weather
-
San Francisco, CA1 hour agoWhy do gray whales keep dying in San Francisco’s waters?
-
Dallas, TX1 hour agoDallas Mavericks Owners Might Be Making Big Mistake in Search for New GM
-
Miami, FL1 hour agoDefense dominates, Mensah flashes in Miami’s spring game – The Miami Hurricane
-
Boston, MA2 hours ago
A crowd scientist is helping the Boston Marathon manage a growing field of 30,000-plus runners
-
Denver, CO2 hours agoDenver Nuggets Altitude broadcasts now being offered in Spanish for first time ever
-
Seattle, WA2 hours agoNeed to shred? Free drive-up/ride-up shredding Wednesday at Village Green West Seattle
-
San Diego, CA2 hours agoGame 21: San Diego Padres at Los Angeles Angels
