A programmer discovers a bug that gives access to 7,000 homes in 24 countries

The origin of the problem lies in incorrect management of permissions in the platform backend, specifically in communication based on the MQTT (Message Queuing Telemetry Transport) protocol. This system, a mainstay of communication between IoT devices and servers, lacked adequate access controls, allowing an authenticated user to read the traffic of other devices in the clear. The consequences on privacy have been described as “disturbing”: Azdoufal managed to locate an international journalist’s device, produce an accurate map of his apartment and activate live videoall without the victim receiving any notification or request for authorization.

“I discovered that my device was just one in an ocean of devices“, Azdoufal explained to The Verge, an authoritative US technology newspaper, specifying that he had not carried out any aggressive hacking operations: “I didn’t break any rules. I didn’t override any systems, crack anything, or use brute force or anything else“. The vulnerability was not limited to vacuum cleaners alone, as the system also exposed diagnostic data from portable charging stations of the same brand. Although DJI said it fixed the flaw with two updates between February 8 and 10, 2026, its handling of the crisis has raised questions about company transparencyas the system was still vulnerable hours after the official reassurances provided to the press.

In addition to the specific bug, the question of data retention remains open. Azdoufal also reportedly had access to much other sensitive information stored on DJI servers in “plain text” format, making it vulnerable to intrusion into central databases. This story is part of a climate of strong regulatory tension for DJI: the Chinese giant was recently included in the US FCC’s Covered List, a move that prevents the authorization of new products in the US for national security reasons. Although the company legally challenged this decision on February 20, 2026, incidents such as the Romo model risk weakening the brand’s defensive position in institutional settings.

At the end of the investigation, DJI acknowledged the severity of the report by rewarding Azdoufal with $30,000 through its bug bounty program. However, some residual vulnerabilities remain to be resolved that would still allow videos to be viewed without the mandatory security PIN, a flaw that the company promises to permanently fix within a few weeks.