The Trojan Horse in Our Homes: When the “Smart” Vacuum Costs More Than Money
For centuries, the story of the Trojan Horse has served as a warning about gifts that carry hidden enemies. Today, that metaphor feels disturbingly literal: in many homes, the “horse” is no longer free, and it may be watching, listening, and mapping our private spaces in real time. A recent report by The Verge about a security researcher’s accidental discovery inside DJI’s Romo robot vacuum illustrates how modern smart devices can become Trojan‑style backdoors into our lives.
Spanish engineer Sammy Azdoufal did not set out to hack the world’s robot vacuums. He simply wanted to control his newly bought DJI Romo with a PS5 controller, so he wrote his own remote‑control app and reverse‑engineered DJI’s communication flow. When his app connected to DJI’s servers, however, it did not see just his device. Instead, it received live data from roughly 7,000 Romo units around the world, suddenly turning him into an unintended “commander” of thousands of strangers’ household robots.
In his tests, Azdoufal was able to remotely move the vacuums, view live camera feeds, and even hear audio from their microphones. He could watch each robot build detailed 2D floor plans of homes and use IP addresses to approximate their locations. He described extracting only his own private authentication token—the key that tells the server “you are allowed to see your data”—yet the server handed over other people’s data as well. “My device was just one in an ocean of information,” he said, revealing how easily one user’s access could bleed into everyone else’s.
During a live demonstration, his laptop received MQTT messages from thousands of devices every three seconds: serial numbers, which room was being cleaned, distance travelled, whether the robot was returning to its dock, and what obstacles it had encountered. In just nine minutes, he catalogued about 6,700 units across 24 countries, logging more than 100,000 messages. When he included DJI Power power banks connected to the same servers, the visible device count exceeded 10,000. By typing in a 14‑digit serial number, he could pull up a colleague’s Romo in another country, see it cleaning the living room, check its 80% battery, and watch it map the home layout in real time.
After Azdoufal alerted the media, DJI moved quickly. By Tuesday, he could no longer control other people’s Romos or view live video or microphone feeds. By Wednesday morning, even his own device disappeared from his scanner, suggesting that DJI had closed the main leak. Yet the episode raised serious questions about DJI’s security and data governance: if a curious engineer could stumble on a flaw exposing thousands of devices, what could a malicious actor do? And why does a vacuum cleaner need a microphone at all?
DJI later acknowledged that the core issue lay in backend permission validation—how devices and servers manage access via MQTT‑based communication. The company said it had internally detected the vulnerability in late January, rolled out an initial patch on February 8, and completed a second update on February 10, claiming the problem was fully resolved without user action. DJI also denied that data was transmitted unencrypted, insisting that Romo communicates with servers over TLS. However, researchers point out that even with encrypted channels, poor topic‑level permission controls can still allow an authorized client to see messages from many unrelated devices. Encryption protects the pipe, not the permissions inside the system.
Azdoufal noted that other vulnerabilities remain, such as being able to view his own Romo’s video stream without entering a security PIN, and at least one more serious flaw he chose not to disclose. DJI said it would address these issues within the week.
The real story here is not just a bug in one product line; it is a pattern. Many of today’s “smart” home devices come pre‑installed with cameras, microphones, and cloud connectivity, sold as conveniences but capable of functioning as surveillance tools. The Trojan Horse in our homes is no longer a wooden gift left at the gate; it is a sleek, branded appliance we willingly plug in ourselves, pay for, and invite into our bedrooms and living rooms. This time, the horse is not even free—and its price may be measured not in gold, but in privacy.
發表文章
