Hacking a Robot Vacuum
Someone tries to remote control his own DJI Romo vacuum, and ends up controlling 7,000 of them from all around the world.
The IoT is horribly insecure, but we already knew that.
Comments
Clive Robinson • March 19, 2026 10:10 AM
@ Bruce, ALL,
With regards,
“The IoT is horribly insecure, but we already knew that.”
It’s not what “we already knew” it’s about what the many others don’t know that really matters.
The reality is that “vibe coding” is heading toward IoT devices near you any time soon… And with them spread far and wide, security will be even worse for everyone…
I guess the real question will be,
“How long before the Internet is unusable, due to the proliferation of junk code on junk hardware?”
Rontea • March 19, 2026 10:59 AM
This isn’t some edge case—it’s the predictable result of shipping connected products with minimal authentication, insecure communication protocols, and no meaningful patching strategy.
The industry keeps racing to connect everything to the Internet, from vacuums to refrigerators, and the result is a global network of vulnerable devices waiting to be abused. We’ve known this for years, and yet the market rewards speed and low cost over security. Until manufacturers are held accountable—and until regulation enforces baseline security standards—these kinds of hacks will only get worse.
Bernie • March 19, 2026 11:17 AM
Some correct me if I’m wrong.
The article’s sub-headline-thing reads, “The immediate threat may be fixed, but this raises serious questions.” What serious questions does it raise (that haven’t already been raised long enough ago)? Or am I reading too much into that sentence? Is it more clickbait than anything?
lurker • March 19, 2026 1:36 PM
@Bernie, Clive Robinson
You must be as old as me. @Clive said it above:
“it’s about what the many others don’t know that really matters.”
We know that putting a vacuum cleaner on the internet is a daft idea fraught with peril. But the Verge article observes:
“… it’s not surprising that a robot vacuum cleaner with a smartphone app would phone home to the cloud. For better or for worse, users currently expect those apps to work outside of their own homes. Unless you’ve built a tunnel into your own home network, that means relaying the data through cloud servers first.” [emphasis added]
I expect Azdoufal and many readers of this blog could build their own VPN to control their cleaner from outside their home. But for the average user … So one of the serious questions raised is,
Should IoT makers give users what they want, or what they need? Note that what they need (security, privacy) will cost more than just what they want.
John • March 19, 2026 2:30 PM
IoT devices with internet access are utter nonsense.
The IoT makers could provide an app that runs locally and talks to the IoT devices, inside the firewall. They can poll for instructions from the cloud.
Then we would be discussing security bugs in the app. Security bugs in an app aren’t new, of course, but they are far easier to patch.
Subscribe to comments on this entry
Leave a comment
Sidebar photo of Bruce Schneier by Joe MacInnis.
Wow • March 19, 2026 6:01 AM
Pretty impressive screwup for a company like DJI. Interesting read! Somehow I’m first