DJI Robot Vacuum Vulnerability Exposed 7,000 Homes — Engineer Gets $30K Bounty

DJI robot vacuum in a modern living room with security warning overlay

Engineer Accidentally Hacks Into 7,000 Robot Vacuums

Security researcher Sammy Azdoufal just wanted to control his DJI robot vacuum with a PlayStation 5 controller. What happened next exposed one of the most alarming smart home vulnerabilities in recent memory — and earned him a $30,000 bug bounty from DJI.

Using an AI coding assistant, Azdoufal reverse-engineered DJI’s cloud API for its robot vacuum line. In the process, he accidentally gained access to approximately 7,000 DJI robot vacuums across 24 countries, complete with live camera feeds, microphone access, and detailed floor plans of users’ homes.

How a PS5 Controller Exposed Thousands of Homes

The vulnerability was remarkably simple to exploit. While mapping the cloud API to build his custom controller interface, Azdoufal discovered that DJI’s servers didn’t properly validate which user was requesting access to which vacuum. With the right API calls, any authenticated user could potentially access any DJI robot vacuum connected to the cloud.

The exposed data included real-time video from the vacuum’s onboard camera, audio from its microphone, Wi-Fi network names, and complete floor maps generated during cleaning cycles. For anyone with malicious intent, this would have been a goldmine for surveillance or planning physical break-ins.

DJI’s Initial Response: $100

When Azdoufal reported the vulnerability to DJI, the company initially offered him just $100 for what was clearly a critical security flaw affecting thousands of users worldwide. After the researcher pushed back and the severity of the issue became clear, DJI eventually raised its bounty to $30,000 — a more appropriate figure for a vulnerability of this magnitude.

DJI confirmed the fix was deployed by mid-February 2025, patching the API authentication flaw that allowed unauthorized cross-account access.

The Bottom Line

This incident highlights a growing concern with IoT devices: the cameras and microphones we invite into our homes through “smart” gadgets are only as secure as the cloud infrastructure behind them. DJI is far from the only company with these risks — but the scale of this particular breach, spanning 24 countries and 7,000 devices with live camera access, should make anyone think twice about which connected devices they place inside their homes. At least this time, the person who found the flaw was trying to play with a PS5 controller, not spy on strangers.