A security vulnerability in a cloud system tied to a Chinese technology company briefly exposed live camera feeds, microphones, and detailed interior maps from thousands of homes around the globe.
The issue involved DJI’s $2,000 Romo robot vacuum — an internet-connected device equipped with cameras and sensors capable of mapping entire homes in real time. According to reports, a backend permission-validation flaw allowed a single device credential to grant access to nearly 7,000 machines operating across 24 countries.
Rather than isolating authentication to one device, the cloud servers reportedly treated the credential as authorized across a broad fleet of robots. That meant an authenticated user could access live video feeds, activate microphones, and compile two-dimensional floor plans generated by the devices.
During a live demonstration described in reporting on the incident, thousands of devices allegedly began appearing on a global map within minutes. Serial numbers populated. Floor plans rendered. Locations surfaced across continents.
“Roughly 7,000 of them, all around the world, began treating [the researcher] like their boss,” one account stated, describing how the devices appeared to grant administrative-level visibility.
DJI said it identified the vulnerability during an internal review in late January and moved quickly to deploy fixes. An initial patch was rolled out automatically on February 8, followed by a second update on February 10. The company characterized the flaw as a backend permission-validation issue and stated that no user action was required to secure affected devices.
While DJI says the specific vulnerability has been resolved, cybersecurity experts note that the episode highlights broader architectural risks associated with centralized cloud systems. Once a user is authenticated within certain messaging frameworks — such as MQTT brokers — improperly configured topic-level permissions can allow access to device communications at the application layer, even if encryption like TLS is in place. Encryption protects data in transit, but it does not prevent overly broad internal permissions from exposing sensitive information once inside the system.
There is no evidence that the vulnerability was maliciously exploited. However, the scale of potential access has intensified scrutiny.
Interior mapping data generated by smart home devices extends beyond cleaning telemetry. These systems create detailed digital layouts of private living spaces — including bedrooms, hallways, and entry points. When such data is aggregated and routed through centralized cloud infrastructure, especially infrastructure operated by foreign-based firms, questions arise about data governance, oversight, and legal jurisdiction.
DJI equipment has faced previous restrictions in certain U.S. federal environments due to concerns surrounding data security and foreign access risks. Lawmakers in Washington have long debated the implications of foreign-connected hardware embedded in American infrastructure.
This incident is likely to add fuel to that discussion. As smart home devices become more sophisticated — and more deeply integrated into daily life — the architecture behind them becomes just as consequential as the hardware itself.
