ON 17 February 2026, a hobby coder used Anthropic’s Claude Code AI coding assistant to reverse-engineer a DJI Romo’s communication protocols and access its authentication token. Sammy Azdoufal’s homebrew app then connected to DJI’s servers, enabling roughly 7,000 robot vacuums across 24 countries to answer commands and expose live camera feeds, onboard microphones, and floor plans of homes he had not visited.
The incident extended to DJI’s Power portable battery stations, which run on the same MQTT infrastructure and also appeared in the exposed traffic. The root cause was a technically basic failure: DJI’s MQTT message broker had no topic-level access controls, allowing traffic from other devices to be viewed in plaintext once authenticated with a single device token.
In reporting the breach, The Verge highlighted that Azdoufal could pinpoint the Verge journalist’s own robot and verify details such as its location and battery level. The article notes that AI coding tools are lowering the bar for probing IoT protocols, expanding the pool of potential attackers and increasing concerns about security through obscurity.
According to The Verge, regulators are responding with measures such as the EU’s Cyber Resilience Act and the UK’s PSTI Act, aiming to tighten security for connected devices.