Photo by via Igor Bogdanov on Notebookcheck
Security Alert: Some DJI Robot Vacuums Were Exposed Through a Cloud Access Bug
A security researcher reported a serious cloud-side flaw affecting DJI Romo robot vacuums. According to public reports, one authenticated account token could be used to access data streams and controls for many other devices, including live camera feeds, microphone data, maps, and cleaning status.
In plain language: this behaved like a “master key” problem in the backend, not a normal one-device account setup.
Why this matters
Robot vacuums are not just floor cleaners. Many include cameras, microphones, home maps, and room-by-room movement history. If cloud permissions fail, private home data can be exposed at scale.
What users should do right now
- Update firmware and the mobile app immediately.
- In the app, disable camera/microphone features if you do not actively need them.
- Delete old maps and cloud history where possible.
- Put smart-home devices on a separate Wi-Fi network from laptops/work devices.
- Review account security: strong password + two-factor authentication.
What to expect next
DJI has said patches were deployed, but incidents like this are a reminder that cloud authorization controls are as important as device security. If you own a connected vacuum, keep auto-updates enabled and periodically re-check privacy settings after each app update.