A Spanish software engineer in Barcelona decided to have a little fun with his vacuum cleaner. What could possibly go wrong?
Sammy Azdoufal’s weekend project sounded harmless enough: connect his PS5 controller to his DJI Romo vacuum so he could steer it around the house like a remote-controlled car. Because, naturally, if you can defeat a boss in Elden Ring, you should be able to defeat dust bunnies too.
To pull this off, Azdoufal enlisted the help of an AI coding assistant called Claude Code. The plan was simple — reverse-engineer how the vacuum talked to its cloud servers, slip in some custom commands, and enjoy the world’s most overqualified toy car.
Instead, he accidentally unlocked something far more impressive — and far more alarming.
By extracting credentials meant only for his own device, Azdoufal stumbled onto a backend security flaw that didn’t just give him control of his vacuum. It opened the digital doors to roughly 7,000 similar devices across 24 countries. Live camera feeds. Microphone audio. 2D floor plans. Precise locations.
All of it accessible with nothing more exotic than a 14-digit serial number.
He hadn’t hacked into DJI’s servers in the Hollywood sense — no dark hoodie, no neon code raining down the screen. He had simply followed the logic, assisted by AI, and the system quietly handed over the keys.
To his credit, Azdoufal reported the vulnerability to DJI, which says it has fixed the issue, though he maintains some gaps remain.
The episode is both amusing and unsettling. On one hand, it shows how a hobbyist armed with curiosity and a helpful AI assistant can build something creative and fun. On the other, it demonstrates how that same “augmented curiosity” can expose structural weaknesses in consumer tech.
Home robots are increasingly popular, cheerfully mapping living rooms and peeking under sofas. But those same cameras and microphones also sit at the intersection of convenience and risk. If a playful experiment can reveal such sweeping access, the implications for bad actors are obvious.
As Cassie Kozyrkov, Google’s first Decision Scientist, has noted, systems built to withstand ordinary human curiosity may not be prepared for curiosity with a turbocharger.
And in 2026, that turbocharger increasingly comes pre-installed.
