Robo Army: Man Accidentally Takes Control of 6,700+ Robot Vacuums Worldwide While Hacking His Own

24 Feb 2026, 16:56 by Lucas Nolan · Breitbart

A man inadvertently gained control over thousands of internet-connected robot vacuums while attempting to modify his own device to work with a PlayStation controller. The inadvertent hack provided the man with access to detailed floor plans and even live camera feeds from the Chinese-built robots.

Toms Hardware reports that a significant security vulnerability in DJI Romo robot vacuums has been exposed after a user accidentally obtained unauthorized access to more than 6,700 devices globally while working on a personal modification project. The security breach allowed access to sensitive information including detailed floor plans, live camera feeds, microphone audio, and remote control capabilities of the affected vacuum cleaners. Some security researchers have speculated that the man accidentally accessed a “backdoor” added by the Chinese company to enable spying.

The discovery was made by Sammy Adoufal, an AI strategist who was using Claude Code to reverse engineer the communication protocol between his DJI Romo robot vacuum and its servers. His intention was simply to enable control of his own device using a PlayStation controller. However, the process unexpectedly provided him with access credentials to approximately 6,700 robot vacuums deployed across multiple continents.

Adoufal emphasized that his actions did not constitute hacking in the traditional sense. “I didn’t infringe any rules, I didn’t bypass, I didn’t crack, brute force, whatever,” Adoufal said. His approach involved only extracting the private token from his own Romo vacuum, which inadvertently granted access to live servers operating in the United States, Europe, and China.

Upon discovering the vulnerability, Adoufal acted responsibly by immediately notifying DJI about the security flaw rather than exploiting the access to compromise user privacy. DJI responded to the report by implementing several updates that addressed the primary issue without requiring any action from end users. The company deployed these fixes to secure the affected devices and prevent further unauthorized access.

Despite the resolution of the main vulnerability, Adoufal has indicated that additional security concerns remain unaddressed. Among these outstanding issues is the ability to stream video feeds from DJI Romo devices without requiring a security PIN. Another problem of significant severity has been identified but not publicly disclosed. Adoufal pointed out that the fundamental problem extends beyond encryption protocols used during server communication. According to his findings, all data collected by the robot vacuums is stored in plain text format on the servers, making it easily readable by anyone who manages to gain server access.

Breitbart News has previously reported on the security dangers of internet-connected devices like robot vacuum cleaners. One woman was horrified when a picture of her sitting on the toilet was posted to Facebook by foreign gig workers monitoring devices for popular robot vacuum cleaner company Roomba:

An investigation by the MIT Technology Review revealed that gig workers in Venezuela were asked to label items in photographs of home interiors taken by the Roomba vacuum, some of which included people with visible faces. The employees subsequently posted at least 15 images to social media groups, including pictures of a child and a woman using the restroom. It is thought that this is not an isolated incident and that labelers frequently receive access to private photos, videos, and audio. iRobot terminated its agreement with one of the data annotation businesses it was working with, Scale AI, in response to the investigation. However, iRobot CEO Colin Angle stated in a LinkedIn post that making such images available was necessary for training the company’s object recognition algorithms, denying the concern that human gig workers could see test users’ images and faces.