Sammy Azdoufal claims he wasn’t trying to hack every robot vacuum in the world. He just wanted to remote control his brand-new DJI Romo vacuum with a PS5 gamepad, he tells The Verge, because it sounded fun.
Technology
The DJI Romo robovac had security so poor, this man remotely accessed thousands of them
But when his homegrown remote control app started talking to DJI’s servers, it wasn’t just one vacuum cleaner that replied. Roughly 7,000 of them, all around the world, began treating Azdoufal like their boss.
He could remotely control them, and look and listen through their live camera feeds, he tells me, saying he tested that out with a friend. He could watch them map out each room of a house, generating a complete 2D floor plan. He could use any robot’s IP address to find its rough location.
“I found my device was just one in an ocean of devices,” he says.
On Tuesday, when he showed me his level of access in a live demo, I couldn’t believe my eyes. Ten, hundreds, thousands of robots reporting for duty, each phoning home MQTT data packets every three seconds to say: their serial number, which rooms they’re cleaning, what they’ve seen, how far they’ve traveled, when they’re returning to the charger, and the obstacles they encountered along the way.
I watched each of these robots slowly pop into existence on a map of the world. Nine minutes after we began, Azdoufal’s laptop had already cataloged 6,700 DJI devices across 24 different countries and collected over 100,000 of their messages. If you add the company’s DJI Power portable power stations, which also phone home to these same servers, Azdoufal had access to over 10,000 devices.
When I say I couldn’t believe my eyes at first, I mean that literally. Azdoufal leads AI strategy at a vacation rental home company; when he told me he reverse engineered DJI’s protocols using Claude Code, I had to wonder whether AI was hallucinating these robots. So I asked my colleague Thomas Ricker, who just finished reviewing the DJI Romo, to pass us its serial number.
With nothing more than that 14-digit number, Azdoufal could not only pull up our robot, he could correctly see it was cleaning the living room and had 80 percent battery life remaining. Within minutes, I watched the robot generate and transmit an accurate floor plan of my colleague’s house, with the correct shape and size of each room, just by typing some digits into a laptop located in a different country.
Separately, Azdoufal pulled up his own DJI Romo’s live video feed, completely bypassing its security PIN, then walked into his living room and waved to the camera while I watched. He also says he shared a limited read-only version of his app with Gonzague Dambricourt, CTO at an IT consulting firm in France; Dambricourt tells me the app let him remotely watch his own DJI Romo’s camera feed before he even paired it.
Azdoufal was able to enable all of this without hacking into DJI’s servers, he claims. “I didn’t infringe any rules, I didn’t bypass, I didn’t crack, brute force, whatever.” He says he simply extracted his own DJI Romo’s private token — the key that tells DJI’s servers that you should have access to your own data — and those servers gave him the data of thousands of other people as well. He shows me that he can access DJI’s pre-production server, as well as the live servers for the US, China, and the EU.
Here’s the good news: On Tuesday, Azdoufal was not able to take our DJI Romo on a joyride through my colleague’s house, see through its camera, or listen through its microphone. DJI had already restricted that form of access after both Azdoufal and I told the company about the vulnerabilities.
And by Wednesday morning, Azdoufal’s scanner no longer had access to any robots, not even his own. It appears that DJI has plugged the gaping hole.
But this incident raises serious questions about DJI’s security and data practices. It will no doubt be used to help retroactively justify fears that led to the Chinese dronemaker getting largely forced out of the US. If Azdoufal could find these robots without even looking for them, will it protect them against people with intent to do harm? If Claude Code can spit out an app that lets you see into someone’s house, what keeps a DJI employee from doing so? And should a robot vacuum cleaner have a microphone? “It’s so weird to have a microphone on a freaking vacuum,” says Azdoufal.
It doesn’t help that when Azdoufal and The Verge contacted DJI about the issue, the company claimed it had fixed the vulnerability when it was actually only partially resolved.
“DJI can confirm the issue was resolved last week and remediation was already underway prior to public disclosure,” reads part of the original statement provided by DJI spokesperson Daisy Kong. We received that statement on Tuesday morning at 12:28PM ET — about half an hour before Azdoufal showed me thousands of robots, including our review unit, reporting for duty.
To be clear, it’s not surprising that a robot vacuum cleaner with a smartphone app would phone home to the cloud. For better or for worse, users currently expect those apps to work outside of their own homes. Unless you’ve built a tunnel into your own home network, that means relaying the data through cloud servers first.
But people who put a camera into their home expect that data to be protected, both in transit and once it reaches the server. Security professionals should know that — but as soon as Azdoufal connected to DJI’s MQTT servers, everything was visible in cleartext. If DJI has merely cut off one particular way into those servers, that may not be enough to protect them if hackers find another way in.
Unfortunately, DJI is far from the only smart home company that’s let people down on security. Hackers took over Ecovacs robot vacuums to chase pets and yell racist slurs in 2024. In 2025, South Korean government agencies reported that Dreame’s X50 Ultra had a flaw that could let hackers view its camera feed in real time, and that another Ecovacs and a Narwal robovac could let hackers view and steal photos from the devices. (Korea’s own Samsung and LG vacuums received high marks, and a Roborock did fine.)
It’s not just vacuums, of course. I still won’t buy a Wyze camera, despite its new security ideas, because that company tried to sweep a remote access vulnerability under the rug instead of warning its customers. I would find it hard to trust Anker’s Eufy after it lied to us about its security, too. But Anker came clean, and sunlight is a good disinfectant.
DJI is not being exceptionally transparent about what happened here, but it did answer almost all our questions. In a new statement to The Verge via spokesperson Daisy Kong, the company now admits “a backend permission validation issue” that could have theoretically let hackers see live video from its vacuums, and it admits that it didn’t fully patch that issue until after we confirmed that issues were still present.
Here’s that whole statement:
DJI identified a vulnerability affecting DJI Home through internal review in late January and initiated remediation immediately. The issue was addressed through two updates, with an initial patch deployed on February 8 and a follow-up update completed on February 10. The fix was deployed automatically, and no user action is required.
The vulnerability involved a backend permission validation issue affecting MQTT-based communication between the device and the server. While this issue created a theoretical potential for unauthorized access to live video of ROMO device, our investigation confirms that actual occurrences were extremely rare. Nearly all identified activity was linked to independent security researchers testing their own devices for reporting purposes, with only a handful of potential exceptions.
The first patch addressed this vulnerability but had not been applied universally across all service nodes. The second patch re-enabled and restarted the remaining service nodes. This has now been fully resolved, and there is no evidence of broader impact. This was not a transmission encryption issue. ROMO device-to-server communication was not transmitted in cleartext and has always been encrypted using TLS. Data associated with ROMO devices, such as those in Europe, is stored on U.S.-based AWS cloud infrastructure.
DJI maintains strong standards for data privacy and security and has established processes for identifying and addressing potential vulnerabilities. The company has invested in industry-standard encryption and operates a longstanding bug bounty program. We have reviewed the findings and recommendations shared by the independent security researchers who contacted us through that program as part of our standard post-remediation process. DJI will continue to implement additional security enhancements as part of its ongoing efforts.
Azdoufal says that even now, DJI hasn’t fixed all the vulnerabilities he’s found. One of them is the ability to view your own DJI Romo video stream without needing its security pin. Another one is so bad I won’t describe it until DJI has more time to fix it. DJI did not immediately promise to do so.
And both Azdoufal and security researcher Kevin Finisterre tell me it’s not enough for the Romo to send encrypted data to a US server, if anyone inside that server can easily read it afterward. “A server being based in the US in no way, shape, or form prevents .cn DJI employees from access,” Finisterre tells me. That seems evident, as Azdoufal lives in Barcelona and was able to see devices in entirely different regions.
“Once you’re an authenticated client on the MQTT broker, if there are no proper topic-level access controls (ACLs), you can subscribe to wildcard topics (e.g., #) and see all messages from all devices in plaintext at the application layer,” says Azdoufal. “TLS does nothing to prevent this — it only protects the pipe, not what’s inside the pipe from other authorized participants.”
When I tell Azdoufal that some may judge him for not giving DJI much time to resolve the issues before going public, he notes that he didn’t hack anything, didn’t expose sensitive data, and isn’t a security professional. He says he was simply livetweeting everything that happened while trying to control his robot with a PS5 gamepad.
“Yes, I don’t follow the rules, but people stick to the bug bounty program for money. I fucking don’t care, I just want this fixed,” he says. “Following the rules to the end would probably make this breach happen for a way longer time, I think.”
He doesn’t believe that DJI truly discovered these issues by itself back in January, and he’s annoyed the company only ever responded to him robotically in DMs on X, instead of answering his emails.
But he is happy about one thing: He can indeed control his Romo with a PlayStation or Xbox gamepad.
Follow topics and authors from this story to see more like this in your personalized homepage feed and to receive email updates.
Five months after returning to OpenAI, Barret Zoph — the company’s head of enterprise AI sales — has departed, The Verge has learned.
Zoph returned to OpenAI in mid-January after a stint as co-founder and CTO of Thinking Machines Lab, the competing AI company founded by former OpenAI CTO Mira Murati. Shortly after Zoph returned to OpenAI, the company said he would lead its push into enterprise — a significant role at OpenAI, since in recent months it had vowed to stop chasing so-called “side quests” and focus on key revenue drivers like enterprise and coding ahead of its planned IPO.
OpenAI confirmed to The Verge that Zoph will be departing. He posted a goodbye message in the company’s Slack channels. Zoph did not immediately respond to a request for comment.
Zoph originally left OpenAI in the fall of 2024 for Murati’s Thinking Machines Lab, but departed the role abruptly in January 2026 after reports of alleged misconduct involving an undisclosed relationship with a colleague. Murati posted on X in January that Thinking Machines Lab had “parted ways” with Zoph and that he would be replaced as CTO.
Thinking Machines Lab has its own tensions with OpenAI. Murati briefly took over as CEO from OpenAI CEO Sam Altman during his November 2023 ouster, and during the recent OpenAI trial, Murati testified that she couldn’t trust everything Altman said. In September 2024, when Murati left OpenAI to start Thinking Machines Lab, a group of OpenAI employees followed shortly after. But three of them — including Zoph — all returned to OpenAI together this past January. Fidji Simo, OpenAI’s CEO of Applications, wrote on X at the time that she was “excited to welcome Barret Zoph, Luke Metz, and Sam Schoenholz back” and that the decision had “been in the works for several weeks.”
NEWYou can now listen to Fox News articles!
For years, two women in Bremerton, Washington, opened credit cards and lines of credit in other people’s names, working from documents they pulled out of stolen mail. Emily Vranic and Heather Marquis redirected the new accounts’ statements to an address they controlled, so no bill ever reached the victims. They pleaded guilty in federal court this month to bank fraud and aggravated identity theft in a scheme prosecutors say stole nearly $229,000 from banks and bank customers.
If you have ever worried about a credit card opened in your name, this case shows how quickly stolen mail can turn into a much bigger identity theft problem. Opening a new account is the leading form of identity misuse reported to the Identity Theft Resource Center. In its latest data, 62.1% of attempted misuse cases began with a new account application rather than the takeover of an account the victim already held.
Sign up for my FREE CyberGuy Report
- Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox.
- For simple, real-world ways to spot scams early and stay protected, visit CyberGuy.com – trusted by millions who watch CyberGuy on TV daily.
Plus, you’ll get instant access to my Ultimate Scam Survival Guide free when you join.
WARNING SIGNS YOUR MAIL HAS BEEN FRAUDULENTLY REDIRECTED
A credit card opened in your name can start with stolen mail, exposed personal details or documents pulled from the trash. (Nastasic/Getty Images)
How stolen mail helped thieves open credit cards
When people picture an account opened in their name, they may imagine a checking account at a bank they have never set foot in. The more likely target is a credit card. Credit cards made up 41% of attempted account misuse reported to the ITRC last year. Checking accounts came to 17.7% and personal loans to 8.5%.
A credit card is one of the easier accounts to open in someone else’s name, and the reason is in how the application is cleared. A lender matches the submitted name, date of birth, address and Social Security number (SSN) against the bureau file. When those details fit a record that already exists, an automated system can approve the application with no one confirming that the applicant is the person being described. Assemble enough of someone’s information from breaches and stolen mail, and the check clears.
Why identity thieves rarely stop at one account
Vranic and Marquis did not stop at one account per victim. Once they controlled someone’s identity, they activated existing cards, opened new credit lines and moved money out of bank accounts tied to the same name.
This is common. The ITRC found that 25.6% of victims are now handling two or more identity incidents at once, up from 23.5% the year before. The same stolen details, including name, date of birth, address and SSN, can open the next account as easily as the first.
DON’T LET THIS CREDIT CARD FRAUD NIGHTMARE HAPPEN TO YOU
A fraudulent credit card may stay hidden for weeks if statements and notices are sent to an address controlled by the thief. (Kurt “CyberGuy” Knutsson)
Why weeks can pass before you learn about the account
A new account does not announce itself. It reaches your credit report only after the first statement closes, which puts the first record 30 to 60 days behind the opening. Banks report to the bureaus monthly, and the bureaus need up to two weeks more to post the change.
The first paper notice goes wherever the application is listed. Vranic and Marquis had the statements mailed to their own address, not the victims’. When the mail reaches the right house, it may read like a routine offer or a card no one ordered, which makes it easy to set aside.
By the time a denied loan or a collections call makes the account impossible to ignore, it has been open and drawing money for weeks.
WHY THAT $4 CHARGE ON YOUR STATEMENT COULD BE FRAUD
Freezing your credit, watching for new accounts and acting quickly can help limit the damage if your identity is used. (Kurt “CyberGuy” Knutsson)
What to do if a credit card appears in your name
Move quickly, because every day an account stays open gives a thief more time to spend money, damage your credit or try the same information somewhere else.
1) Contact the card issuer immediately
Call the credit card company or lender that opened the account and tell them the account is fraudulent. Ask them to close or freeze the account, stop any pending charges and send written confirmation that you are not responsible for the debt.
2) Start at IdentityTheft.gov
Go to IdentityTheft.gov. The Federal Trade Commission’s site generates an Identity Theft Report and recovery plan to help you report identity theft, limit the damage and fix your credit.
3) File a police report if a creditor asks for one
Your FTC Identity Theft Report is usually the key document for disputing fraudulent accounts. Some lenders, banks or debt collectors may also ask for a police report. If that happens, file one with your local police department and keep a copy for your records.
4) Save every document and confirmation number
Keep copies of account statements, collection letters, emails, dispute letters, FTC reports, police reports and confirmation numbers. A clear paper trail can make it easier to prove the account was fraudulent if a creditor, credit bureau or debt collector questions your claim.
5) Dispute the account in writing
Dispute the fraudulent account directly with the lender that opened it, in writing. Also dispute it with Equifax, Experian and TransUnion if it appears on your credit reports. Under the Fair Credit Reporting Act, companies that furnish information to credit bureaus have a duty to investigate disputed information.
6) Freeze your credit at all three bureaus
Place a freeze at Equifax, Experian and TransUnion to help block the next application. Freezes have been free since 2018 and can be lifted online when you need to apply for credit.
7) Add a fraud alert
A credit freeze blocks access to your credit file. A fraud alert tells lenders to take extra steps to verify your identity before opening new credit in your name. You only need to contact one of the three major credit bureaus to place a fraud alert, and that bureau must notify the other two.
8) Report suspected mail theft
If you believe stolen mail helped someone open the account, report it to the U.S. Postal Inspection Service, the law enforcement arm of the Postal Service. You can report mail theft, identity theft, fraudulent change-of-address requests, fraudulent mail holds and fake Informed Delivery accounts at mailtheft.uspis.gov.
9) Request an IRS Identity Protection PIN
If your Social Security number was used, request an IRS Identity Protection PIN at irs.gov/ippin. This helps keep a thief from filing a tax return in your name.
10) Change passwords and lock down your accounts
Change the passwords on your bank, credit card and email accounts, especially if your email address was part of the fraud. Use a password manager to create and store strong, unique passwords for each account, so one exposed password cannot unlock the rest of your financial life. Turn on two-factor authentication (2FA) where available. Then review recent transactions, saved payment methods and automatic payments for anything you do not recognize.
11) Get help cleaning up the damage
Cleaning up identity theft can mean dealing with creditors, credit bureaus, debt collectors and repeat follow-ups. Keep copies of every report, dispute letter, confirmation number and account closure notice so you have a clear paper trail if the fraud resurfaces.
No service can prevent every account opened in your name. Continuous three-bureau credit monitoring may alert you to new accounts as they are reported, rather than weeks later when a lender turns you down or a collections notice arrives. See my tips and best picks on Best Identity Theft Protection at Cyberguy.com
Kurt’s key takeaways
A stolen credit card account can quietly grow into a much bigger identity theft mess before you ever see a bill. That is what makes this Washington case so alarming. The victims were not ignoring warning signs. The statements were being sent somewhere else. The best move is to make it harder for thieves to open the next account. Freeze your credit at Equifax, Experian and TransUnion, watch for hard inquiries and check your credit reports for accounts you do not recognize. If something appears, go straight to IdentityTheft.gov, file a report and dispute the account in writing with the lender. Credit monitoring can also give you a faster heads-up when a new account or inquiry hits your file. It will not stop every scam, but it can shorten the time between the fraud starting and you finding out.
Have you ever found a credit card, loan or account on your credit report that you did not open? Let us know how you discovered it and what it took to fix it by writing to us at Cyberguy.com
CLICK HERE TO DOWNLOAD THE FOX NEWS APP
Sign up for my FREE CyberGuy Report
- Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox.
- For simple, real-world ways to spot scams early and stay protected, visit CyberGuy.com – trusted by millions who watch CyberGuy on TV daily.
- Plus, you’ll get instant access to my Ultimate Scam Survival Guide free when you join.
Copyright 2026 CyberGuy.com. All rights reserved.
Valve has some good news and bad news about Steam Controllers. The good news: if you make a reservation for a Steam Controller, the company will now show you one of three estimates of when you’ll be able to actually order your gamepad: by September 2026, by December 2026, or sometime in 2027. The bad news: any reservations made today “indicate a 2027 date for shipping,” Valve says.
“We have no plans to stop making Steam Controller,” according to Valve. “But as we look at the current demand compared to how many we know we can make by the end of the year, we want to manage expectations as much as we can with regards to when folks can expect to receive their order.”
Valve’s very good new Steam Controller went on sale in early May, and the initial rush led some people to run into frustrating problems with trying to check out ahead of the controllers eventually going out of stock. A few days later, the company announced that it would be implementing a reservations queue for interested buyers so they could get on a waitlist. If you’re on the waitlist, when you get notified that a Steam Controller is ready for you to buy, you have 72 hours to actually make the order.
“When we launched Steam Controller last month, we quickly saw that initial demand exceeded our expectations,” Valve says. “Switching to a reservation queue has (hopefully) cut down on the headaches on the customer side, and for us it’s also been helpful as we plan ahead and try to get as many out as quickly as we are able.”
All three of Valve’s big hardware products were delayed from a planned early 2026 launch because of the component crisis, Valve still hasn’t announced when the Steam Machine PC or Steam Frame VR headset might go on sale. However, just yesterday, Valve officially launched its big SteamOS 3.8 update with support for the Steam Machine. It’s also been importing a lot of hardware into the US as of late.
-
Seattle, WA1 minute ago‘Seattle News Weekly’: FIFA World Cup 2026 at Seattle Stadium
-
San Diego, CA8 minutes agoIt’s NASCAR weekend in Coronado. Here’s what San Diegans need to know.
-
Milwaukee, WI11 minutes agoGiannis’ quiet trade market could keep him in Milwaukee
-
Atlanta, GA16 minutes agoYMCA of Metro Atlanta Partners with Trae Young Family Foundation to Unveil 8 New Pickleball Courts with ‘First Dink’ Celebration
-
Minneapolis, MN23 minutes agoReal Capital Solutions Acquires Minneapolis Office Property for $34M
-
Indianapolis, IN26 minutes agoRetro Indy: For years Marott was Indianapolis’ most luxurious hotel
-
Pittsburg, PA31 minutes agoPirates Trade Analysis: Something Had to Give
-
Augusta, GA37 minutes agoAugusta Dream Center sees surge in families needing food as summer begins
