The Weekend Project That Accidentally Hacked 7,000 Homes
Some of the most consequential cybersecurity discoveries in recent history have come not from well-funded research labs, but from curious hobbyists with too much free time and a good idea. The story of Sammy Azdoufal and his DJI Romo robot vacuum is one of the more remarkable examples of this phenomenon, and it carries some genuinely unsettling lessons for anyone who owns a connected device.
A Gamer’s Innocent Quest for Vacuum Control
Azdoufal’s original goal was refreshingly simple: he wanted to pilot his new robot vacuum around his home using a PlayStation 5 controller. It was the kind of weekend project that sounds fun at a dinner party and seems perfectly harmless on paper. To make it work, he turned to Anthropic’s Claude Code AI assistant, which helped him reverse-engineer the communication protocols buried inside DJI’s mobile application. What once required years of specialized training in software engineering and network analysis now took a hobbyist a weekend and an AI chat window.
This is the part of the story where we need to pause and appreciate something significant. AI coding assistants have fundamentally changed who can probe the security of connected devices. Tasks like decompiling mobile apps, decoding proprietary protocols, and extracting authentication credentials used to be the exclusive territory of professional security researchers. Now, they are accessible to anyone with curiosity, patience, and an internet connection.
When Things Went Horribly Wrong
When Azdoufal’s custom application connected to DJI’s backend servers, something unexpected happened. Instead of communicating with just his own vacuum, his application suddenly had visibility into roughly 7,000 robot vacuums spread across 24 countries. He could see live camera feeds, listen through built-in microphones, and pull detailed floor plans of strangers’ homes from the data streaming back to him. This was not the result of sophisticated hacking. The underlying cause was embarrassingly basic: DJI’s MQTT message broker infrastructure had no meaningful topic-level access controls. Once you authenticated with any single device token, the entire network’s traffic was visible to you, unencrypted and fully readable.
MQTT is a communication protocol widely used in IoT devices precisely because it is lightweight and efficient. It works on a publish-subscribe model where devices send data to a central broker, and other clients can subscribe to receive that data. The problem is that when a broker is configured without proper access restrictions, subscribing to everything is just as easy as subscribing to your own device. DJI’s implementation essentially left the door not just unlocked, but propped open with a welcome mat.
The 14-Digit Serial Number That Changed Everything
To demonstrate the real-world severity of what he had found, Azdoufal used just a 14-digit serial number to locate a journalist’s vacuum cleaner from thousands of miles away. He confirmed it was running in the living room at 80% battery and generated an accurate map of the residence in real time. DJI initially claimed the vulnerability had already been patched. Approximately thirty minutes after that statement was made, Azdoufal performed this live demonstration. The company subsequently acknowledged a backend permission validation problem and confirmed two patches were deployed in February. However, additional vulnerabilities, including a PIN bypass for camera feeds, reportedly remained unaddressed even after those patches.
The Robot Uprising: When Smart Devices Go Rogue
The DJI incident is alarming, but it is far from the strangest chapter in the ongoing saga of insecure connected devices. The history of IoT security failures reads less like a technical report and more like a collection of absurdist short stories.
Vacuum Cleaners with Potty Mouths
In May 2024, residents across several U.S. cities discovered their Ecovacs Deebot X2 robot vacuums had developed some colorful new personalities. Hackers remotely seized control of the devices, using built-in speakers to broadcast racial slurs and offensive language while chasing household pets around the room. A Minnesota lawyer’s vacuum began emitting strange noises before a stranger’s voice, described as sounding like a teenager, started shouting obscenities through the speaker. A similar incident unfolded in Los Angeles, where a vacuum pursued a dog while its new remote operator provided an enthusiastic commentary no one had asked for.
The root cause had actually been disclosed months earlier at a security conference in December 2023. The vacuum’s PIN protection was validated only by the mobile app, never by the device or the server itself. This meant anyone who bypassed the app could skip the PIN entirely. Ecovacs attributed the incidents to credential stuffing and issued a patch they described as sufficient. Independent researchers disagreed, noting that the core architectural flaw remained unaddressed.
Smart Thermostats Turning Homes into Freezers
In 2016, attackers targeted environmental control systems in two Finnish apartment buildings by compromising connected thermostats. The attack forced the systems into endless reboot loops, effectively disabling the heating during freezing winter temperatures. Residents had no heat and no clear explanation for why their building’s systems had stopped responding. On the less dramatic but equally annoying end of the spectrum, hackers have been known to remotely adjust smart thermostats to run up utility bills, making small incremental changes that go unnoticed until the monthly statement arrives.
The Aquarium That Broke a Casino
Perhaps the most improbable entry in the IoT hall of shame comes from 2018, when hackers used a smart thermometer installed in a lobby fish tank to breach a casino’s internal network. The thermometer was connected to the internet for remote monitoring, had insufficient isolation from the rest of the network, and served as a perfectly functional entry point for attackers who used it to reach databases containing high-roller customer information. Somewhere, a very sophisticated criminal spent their evening stealing data through a fish tank.
Baby monitors have provided their own share of unsettling moments. In documented incidents, hackers remotely repositioned nanny cameras away from cribs and toward doorways, essentially announcing their presence to parents entering the room. The devices were compromised, the families were unaware, and the only sign anything was wrong was a camera that seemed to have developed opinions about where to point itself.
Why Your Smart Coffee Maker Might Be Smarter Than Your IT Security
Behind every bizarre IoT hacking story is a set of recurring, preventable failures. Understanding them is the first step toward not becoming the next cautionary tale.
Default Passwords: The Gift That Keeps on Giving
The Mirai botnet, which emerged in 2016, infected over 600,000 IoT devices at its peak using nothing more sophisticated than a list of roughly 60 commonly used default username and password combinations. Credentials like “admin/admin” and “root/12345” were enough to recruit routers, cameras, and DVRs into a massive army that launched distributed denial-of-service attacks exceeding one terabit per second, taking down major websites and disrupting internet infrastructure across the United States and Europe. The source code was eventually leaked, spawning dozens of variants that continue to cause problems to this day. All of it, built on the foundation of manufacturers shipping devices with credentials that no one ever changed.
The DJI situation adds a modern twist to this problem. Beyond weak passwords, the issue was architectural: a message broker that treated all authenticated users as equally trusted, regardless of which device they actually owned. TLS encryption was active throughout the incident, meaning the data was encrypted in transit. But encryption only protects the channel, not the logic controlling who can access what. Locking your front door does not help if you hand a key to every visitor who asks.
When Security Through Obscurity Meets AI-Powered Curiosity
Security through obscurity is the practice of relying on hidden implementation details as a primary defense. The thinking goes: if attackers do not know how your system works, they cannot exploit it. This approach has always been fragile, but AI coding assistants have accelerated its collapse considerably. What Azdoufal accomplished in a weekend, decompiling an app, decoding its protocols, and building a custom client, previously required specialized expertise that most attackers did not have. That barrier no longer exists in the same way. Manufacturers who have been counting on complexity as a shield are finding that the shield is considerably thinner than it used to be.
Security by design, the alternative approach, builds protections that hold up even when an attacker fully understands how the system works. Proper access controls, server-side validation, and meaningful authentication are examples. They require more upfront investment, but they do not collapse the moment someone with an AI assistant decides to spend a Saturday afternoon poking at your product.
The Mirai Legacy: When 600,000 Devices Became Digital Zombies
Mirai did not just cause disruption in 2016; it established a template that attackers have refined and reused ever since. Modern variants have grown more sophisticated, exploiting specific firmware vulnerabilities rather than relying solely on default credentials. A November 2025 attack using the AISURU/Kimwolf botnet reportedly reached a record-breaking 31.4 terabits per second. The underlying lesson from Mirai has not changed: insecure devices connected to the internet at scale become weapons, and the original owners have no idea it is happening.
Protecting Your Business from the Robot Revolution
The good news is that protecting your organization from these risks does not require a security engineering degree. It requires consistent habits and a few deliberate configuration choices.
Network Segregation: Building Digital Moats
The single most effective step you can take is keeping your IoT devices off your primary business network. A compromised smart thermostat or conference room camera on a segmented guest network cannot reach your file servers, accounting systems, or employee workstations. Most modern routers support guest network configuration through a straightforward admin interface. For businesses with more complex environments, VLANs provide stronger isolation at the network layer, allowing you to define exactly what traffic can flow between segments.
Setting up a guest network for IoT devices generally involves the following steps:
- Log into your router’s admin panel using its local IP address.
- Navigate to the wireless or guest network settings section.
- Enable a separate SSID with a unique name that does not reveal your organization’s identity.
- Set WPA2 or WPA3 encryption with a strong password.
- Enable the option to block guest devices from accessing the main network.
- Connect all IoT devices to this network and verify they have internet access but cannot reach internal systems.
The LiDAR vs Camera Privacy Showdown
If robot vacuums are part of your office environment, the choice between LiDAR-based navigation and camera-based navigation carries real privacy implications. LiDAR systems use laser sensors to measure distances and generate spatial maps without capturing any visual imagery. Camera-based systems process actual images for navigation, which means they can incidentally capture people, documents, whiteboards, and other sensitive content. For most cleaning tasks, LiDAR navigation performs comparably to camera-based systems and does so without creating a visual record of your workspace. Many high-end models now combine both technologies, which reintroduces the camera privacy concerns even if the primary navigation is laser-based.
Firmware Updates and the Art of Digital Hygiene
Firmware updates are the least glamorous part of device security and the most frequently neglected. Manufacturers do occasionally release patches for serious vulnerabilities, and devices running outdated firmware remain exposed to issues that have already been publicly disclosed. Building a simple quarterly review into your IT maintenance schedule, checking for firmware updates across all connected devices, takes less than an hour and closes gaps that attackers actively scan for.
Before any new connected device enters your network, spend a few minutes researching its security track record. Look for whether the manufacturer responds to vulnerability disclosures, whether they have a history of issuing timely patches, and whether independent researchers have flagged concerns. A device that costs slightly more from a manufacturer with a responsible security posture is a considerably better investment than a cheaper alternative from a company that ignores coordination requests from government agencies. Your network will thank you, and so will your robot vacuum, assuming it stays on your side.
