DJI Romo security flaw: logical isolation failure on a multi-tenant MQTT bus
In February 2026, the DJI Romo vacuum robot, a notable entry for the brand into the smart home market, became the center of a critical vulnerability. Far from a complex intrusion, the incident stemmed from a server-side authorization failure (BOLA) within the cloud architecture. Approximately 7,000 devices across 24 countries had their technical data and video feeds exposed.
This case, uncovered by developer Sammy Azdoufal and documented by The Verge, highlights a structural paradox: the security of connected objects depends less on their firmware than on the rigor of the Access Control Lists (ACLs) within their server infrastructure.
Accidental discovery through SDK hijacking
Originally, Sammy Azdoufal simply wanted to control his robot using a PlayStation 5 controller. By analyzing the network communications between the device and the DJI Cloud API infrastructure, he identified a breach in permission isolation.
As explained by The Verge, using his own legitimate authentication token allowed him to query resources linked to third-party devices.
Within minutes, roughly 7,000 active robots were identified. Accessible data included:
- Serial numbers (SN) and battery status
- Approximate IP addresses and 2D floor plans
- Access to live video feeds, occasionally bypassing PIN code validation
The presence of a built-in microphone heightened privacy concerns. This intrusion demonstrates that while the “pipe” (TLS) was encrypted, the control over what flowed through it was fundamentally flawed.
Anatomy of the flaw: Broken Object Level Authorization (BOLA)
The protocol used by the DJI Romo is MQTT (Message Queuing Telemetry Transport), an IoT standard favored for its lightweight nature. However, it is important to clarify: the protocol itself is not vulnerable. The failure originated from its server-side implementation.
Topic structure and logical isolation
In DJI’s architecture, each device communicates via “topics” segmented by serial number (SN). According to the Cloud API documentation, the typical structure is as follows:
thing/product/{device_sn}/osd
thing/product/{device_sn}/state
The major technical error lay in the management of wildcards. An authorized client should only have access to topics corresponding to their own {device_sn}. Instead, the server configuration allowed subscriptions to feeds beyond the authorized perimeter.
Authentication vs. Authorization
The system correctly validated the user’s identity (Authentication) but failed to restrict their scope of action (Authorization).
This textbook case of BOLA on a message bus serves as a reminder that the robustness of a distributed system is only as strong as its ACL granularity, a point we previously analyzed in our report on the integration challenges of the MCP protocol, where the protocol layer was not at fault, but rather its implementation.
Video feeds and PIN bypass: superficial security
One of the most critical points involved camera access. Although the DJI app offers PIN protection for viewing live feeds, the backend did not systematically validate this proof before opening a WebRTC or RTSP session.
By exploiting MQTT credentials, a user could directly request the robot’s media streaming services. This design flaw illustrates a classic problem: interface-side validation is insufficient if the backend does not enforce it.
DJI acknowledged a server-side permission validation issue and deployed patches on February 8 and 10, 2026.
Remediation analysis: a backend-only fix
A key technical detail confirms the server-side origin of the flaw: no firmware update for the robot was required.
The remediation took place entirely within the infrastructure:
- Reconfiguration of MQTT brokers
- Hardening of the Cloud API
- Strict token-to-serial-number mapping
- Middleware rule updates
This type of intervention is comparable to the isolation mechanisms we detail in our analysis of securing agentic environments, where access governance constitutes the first line of defense.
Centralized Cloud vs. Edge computing: a structural debate
The DJI Romo affair revives a central IoT security question: why route video feeds and laser mapping through a third-party server when the processing could remain local?
In the centralized Cloud approach:
- Video feeds pass through a remote broker
- 2D plans are stored in the global infrastructure
- An ACL error can have a global impact
Conversely, an Edge computing or Local-first architecture limits the attack surface:
- Local image processing
- P2P encrypted tunnels
- Reduction of the cloud’s role to mere signaling
This model significantly reduces the risk of systemic leaks in the event of an authorization failure.
Toward architectural security, beyond firmware
The DJI Romo incident should be viewed as a strong signal: IoT security no longer relies solely on TLS encryption or embedded firmware.
It requires:
- Granular logical isolation
- Principle of least privilege
- Zero Trust backend validation
- Network segmentation
In a multi-tenant world where thousands of objects share the same cloud infrastructure, a single ACL error can expose an entire fleet of devices.
FAQ: Securing your domestic IoT ecosystem
How can I check if my DJI Romo is protected?
Since the fix was applied server-side on February 10, 2026, no manual action is required on the robot. However, ensure your DJI application is up to date.
Why wasn’t TLS encryption enough?
TLS protects the transport layer. In this case, the user had a valid token, but the server failed to correctly verify the authorization associated with the requested object.
Is there a “Local only” mode?
Most features depend on the Cloud API. To strengthen your security:
- Create a dedicated VLAN for IoT objects
- Use a guest Wi-Fi network
- Disable UPnP if it is not required
Your comments enrich our articles, so don’t hesitate to share your thoughts! Sharing on social media helps us a lot. Thank you for your support!
