As a smart home reviewer, I love the connected home. My house is full of connected devices, from thermostats to ovens to lighting and robots (lawnmowers and vacuum cleaners). They all make my life easier and better, but even I’m a little shaken by the latest hack.
As reported by The Verge, Sammy Azdoufal accidentally hacked almost 7000 DJI Romo vacuum cleaners, gaining full remote control of them. Azdoufal used the AI-powered Claude Code to reverse engineer DJI’s protocols, so that he could remote control is robot with a PS5 controller.
But his remote control app ended up talking to the entire install base of DJI Romo vacuum cleaners. At this point, every robot could be remotely controlled and camera feeds could be viewed, bypassing the PIN lock that’s in place.
The flaw was due to the token used. Azdoufal extracted the token used to access his device, but this also gave him access to every other device. The security issue was reported to DJI, and has now been closed, but this incident should be seen as a warning shot across the bows.
Problems are likely to get worse
There have been hacks in the past. According to Kaspersky, several Ecovacs robot vacuum cleaners were hacked into, with video feeds activated, racial slurs emitted from the integrated speakers, and a pet chased around.
That attack was entirely malicious; the scary thing about the DJI situation is that Azdoufal was just trying to remote control his own vacuum cleaner. And, in this case, Claude Code helped with the token access that opened up DJI’s systems.
AI in the hands of people deliberately trying to break into systems makes for very scary reading. Vibe coding makes it easy to generate complex code with a few prompts and to modify and experiment with different approaches quickly. The potential for AI being used to create lots of malicious code seems almost limitless.
With the kinds of devices that we have now, limiting exposure is almost impossible. Smart devices work through cloud connections because it makes them easier to set up and easier to control.
In the case of robot vacuum cleaners, the cameras aren’t just a nice accessory to see what’s going on; they’re an essential part of how the system works, used for additional navigation aid, and to spot and avoid obstacles. You can’t just cover up these cameras for privacy, as you’ll hamstring the product.
Nor can you disconnect them from the internet and cloud services without losing advanced control, map editing and remote control.
It’s not just about privacy
Although the DJI Romo hack has a privacy element to it, via remote camera viewing, there are other dangers. One hacked device can be used as a springboard to get into other devices.
In the case of robots, there are other threats. A remote controlled robot could be used to bash into a table and smash a vase. Potentially, a hacked robot could be made to throw itself down stairs.
And what about other smart devices? I can turn my oven on remotely, which is useful for setting it before I get home, so I can cook immediately. A hacked system would mean that someone else could do the same, and rack up a huge energy bill. Likewise, a smart heater could be turned on to maximum, costing a fortune in electricity.
It all sounds far-fetched until the day it isn’t.
Should local modes be an option?
The other issue that we’ve seen from smart devices that rely on a cloud connection is that they can be bricked when a company goes bust or, as with Belkin WeMo devices, a product line is discontinued
Perhaps it’s time for many smart devices to come with a mandatory local mode, where they’d only respond to commands from a device on the same network via an established, secure connection.
That way, a device could be managed from home, regardless of the status of the cloud connection. That would be good in the event of a cloud outage, but also good in the event a company went bust.
Things like firmware updates could be checked for via the app and applied manually when required.
Sure, remote features wouldn’t work, so this wouldn’t be good for security cameras, but for many smart devices, the security-conscious person may well take the downsides for more peace of mind.
