Forgot your password?
Close
typodupeerror
Robotics Privacy Security

Man Accidentally Gains Control of 7,000 Robot Vacuums (popsci.com) 51

Posted by EditorDavid from the remote-controlling dept.
A software engineer tried steering his robot vacuum with a videogame controller, reports Popular Science — but ended up with "a sneak peak into thousands of people's homes." While building his own remote-control app, Sammy Azdoufal reportedly used an AI coding assistant to help reverse-engineer how the robot communicated with DJI's remote cloud servers. But he soon discovered that the same credentials that allowed him to see and control his own device also provided access to live camera feeds, microphone audio, maps, and status data from nearly 7,000 other vacuums across 24 countries.

The backend security bug effectively exposed an army of internet-connected robots that, in the wrong hands, could have turned into surveillance tools, all without their owners ever knowing. Luckily, Azdoufal chose not to exploit that. Instead, he shared his findings with The Verge, which quickly contacted DJI to report the flaw... He also claims he could compile 2D floor plans of the homes the robots were operating in. A quick look at the robots' IP addresses also revealed their approximate locations.
DJI told Popular Science the issue was addressed "through two updates, with an initial patch deployed on February 8 and a follow-up update completed on February 10."
This discussion has been archived. No new comments can be posted.

Man Accidentally Gains Control of 7,000 Robot Vacuums More

Man Accidentally Gains Control of 7,000 Robot Vacuums

Comments Filter:

  • The answer is obvious (Score:5, Interesting)

    by MpVpRb ( 1423381 ) on Sunday February 22, 2026 @12:39PM (#66004094)

    Robot vacuums do NOT need to communicate with a cloud server
    The cloud is a trap
    Run away

    • Why wrestle with connecting your phone directly to your home devices through some ad hoc networking, when you can simply attach everything to a [highly insecure] central server and have a simple app that basically amounts to a little more than an HTTP request.

      Plus when you shut down your back end services, all your old customers are fucked and have to buy new products.

    • That's the consumer point of view.

      From the vendor, cloud requirements ensure control and access to data they can mine or sell for additional profit.

      That ought to be illegal, but consumer protection laws haven't really caught on with such things yet. Techies have been screaming about it for decades, but it seems that we've gone from being seen as whackjobs to simply being ignored.

      Personally, I have a robot vacuum and I block it from Internet access - which means it doesn't do floor mapping and the vendor lo

      • Re: (Score:2)

        by SeaFox ( 739806 )

        That ought to be illegal, but consumer protection laws haven't really caught on with such things yet.

        Yes, that's what's going on... the laws just haven't caught up in over twenty years because lawmakers move slow. It can't possibly be a deliberate lack of oversight to appease corporations who benefit from the information gathering.

    • Re: (Score:2)

      by jd ( 1658 )

      It depends. If the cats of the world decide to rise up in revolution (which, given the quality of catfood, is entirely plausible), then being able to control all the vacuum cleaners would be the only defence.

    • It likely needs constant communication with a computer though, and people are stupid so it's easier to just do the cloud vs having the homeowner leave a computer on and installing software.

      I'm working on the assumption that the onboard electronics are very inexpensive and it's the server that makes the maps and decides when and where to vacuum.

      • Re: (Score:2)

        by PPH ( 736903 )

        It likely needs constant communication with a computer though,

        Why? My V1.0 Roomba doesn't.

        • My early Roomba would trap itself fairly regularly.

          • I don't think the cloud can fix that.

            • Itâ(TM)s not the cloud specifically, but mapping robots in general are a huge improvement over the old bump and run bots. I got one recently and I trust running it when Iâ(TM)m not home. Iâ(TM)d have never done that with my old Roomba because it would get into mischief instead of cleaning. Roomba was a fun toy, the modern lidar bots that mop, vacuum, and self empty are actually tools.

          • My early Roomba would trap itself fairly regularly.

            Don't worry, in future all robot vacuum cleaners will connect to real humans in Pakistan to get them out of trouble, just like the self driving taxis.

      • Who the hell shuts their computer down daily?
        The power savings are a few cents a day (woohoo), not to mention when you need it 5 minutes later for something, now you have to start it up again. Do you also turn off your internet modem when you're not home? Do you turn the furnace/AC down when you're not home (only to have to crank it up when you get home, making it run longer and use more power)?

    • They don't strictly "need" to. But consumers demand they do. They are the ones questioning why they can't access the control interface for their robot from outside the house, or why they would need to do something as "ridiculous" as enable wifi on their phones to access their home network.

      The cloud is a solution to the problem that many people are a combination of stupid, or just creatures that put comfort and convenience above all else, and as such virtually all robot vacuums are cloud connected.

  • Opportunity missed! (Score:3)

    by Gravis Zero ( 934156 ) on Sunday February 22, 2026 @12:52PM (#66004126)

    Man Finds Out He Sucks 7000 Times More Than Other People

    This could have you been your headline slashdot but you let it get away!

    • And here, I was thinking...

      ...also provided access to live camera feeds...

      This is an opportunity for some VacuFans site specializing in amateur voyeur foot-fetish content. Let people opt-in for the cameras only and think of the unique perspective these things must have. Cash money. Probably.

  • Grandmas IPO story. With milk and cookies. (Score:5, Insightful)

    by geekmux ( 1040042 ) on Sunday February 22, 2026 @12:55PM (#66004130)

    The backend security bug effectively exposed an army of internet-connected robots that, in the wrong hands, could have turned into surveillance tools..

    Or one might argue that a 7,000-strong node comprised of all manner of deep-seeded surveillance hardware was purpose-built to be a surveillance tool.

    (I mean for shits sake how often do we accidentally stumble across a network like that? Even PRISM is turned on right now.)

  • Wrong framing. (Score:3)

    by Gravis Zero ( 934156 ) on Sunday February 22, 2026 @01:01PM (#66004140)

    FTFA:

    Home owners are grappling with the privacy cost of smart homes

    People have been decrying privacy invasions since the beginning of the deployment of telemetry. What's happening now is the chickens have come home to roost and suddenly people are in disbelief that it could somehow happen to them, like they were somehow exempt.

    To everyone who is playing stupid games: you are bound to win a stupid prize.

  • Ms. Azdoufal says... (Score:5, Funny)

    by guygo ( 894298 ) on Sunday February 22, 2026 @01:02PM (#66004142)

    "For 20 years I've tried to no avail to get him to run just ONE vacuum cleaner ONCE! Now he's running 7,000 across the globe? I quit!"

  • Nope, nothing to see here. Move along.

    • Re: (Score:2)

      by marcle ( 1575627 )

      This bug would allow anybody to access the surveillance network, but even if it were bug-free, obviously DJI would have total access. It's not hidden, that's how their bots work. As a matter of fact, that's how a lot of things work -- cars, TVs, phones, you name it.

      If you didn't want to be surveilled, it would take quite a bit of effort and expertise to avoid it, and there's quite a few products you wouldn't be able to use at all.

      I'm not at all in favor of it, but that's the way our world works now, and it'

  • They are everywhere.

    Remove the cert pinning, setup a mitm and watch your smart bbq toaster bucket leak secrets like mad.

    It'd be fun if it weren't depressing (because you just got laid off for being overpaid in lieu of an offshore team that "delivers on time" and is cheap)

    Of course, not bitter, just progressing poorly through the acceptance phase =D

  • Peak, Peek, Pique (Score:3, Funny)

    by Vlad_the_Inhaler ( 32958 ) on Sunday February 22, 2026 @01:31PM (#66004194)

    a sneak peak into thousands of people's homes

    "peak" is not the correct spelling in that context, it is of course "pique".
    ok, "peek".

  • That's actually something I've always wanted to be able to do with my robot vacuum. Not all the time, mind you, but it would be fun to drive around with a joystick on occasion, or use it to play with the cat. So I can understand the guy's original motivation :)
    • My Tapo (TP Link) lets you drive it from the app but itâ(TM)s pretty terrible. Can either drive forward or rotate, canâ(TM)t drive and turn. The feature is useless though, mine reliably will go where I want it by clicking an area in the app and saying âoego hereâ or âoespot clean this areaâ.

  • ...that he has now a very clean house.

  • Not exploit that... (Score:2, Insightful)

    by SuperDre ( 982372 )
    He choose not to exploit that, but instead of just directly passing it on to the manufacturer first, he contacted the press....

  • The backend security bug effectively exposed an army of internet-connected robots

    Let's make it really clear here... this WAS NOT a bug. It was intentionally done that way. Chinese companies LOVE stealing anything and everything so they made backdoors to allow themselves access to things they've already sold.

Slashdot Top Deals

"God is a comedian playing to an audience too afraid to laugh." - Voltaire

Close