Hobby coder accidentally creates vacuum robot army
嗯,用户让我帮忙总结一下这篇文章的内容,控制在100字以内,而且不需要用“文章内容总结”或者“这篇文章”这样的开头。直接写描述就行。好的,首先我得通读整篇文章,抓住主要信息。 文章讲的是Sammy Azdoufal用PS5手柄控制自己的DJI Romo机器人吸尘器,结果无意中发现了DJI系统的一个安全漏洞。他利用AI工具Claude Code反向工程了Romo的通信协议,结果连接到DJI服务器后,竟然控制了全球7000多个机器人吸尘器。这些机器人不仅提供实时视频和音频,还能生成家庭平面图。更糟糕的是,DJI的MQTT消息代理没有主题级别的访问控制,导致一旦认证通过,就能访问所有设备的数据。 此外,DJI的其他设备如移动电源站也受到影响。文章还提到之前类似的安全事件,比如Ecovacs和 Dreame 的漏洞问题。最后指出AI工具降低了安全攻击的技术门槛,并建议用户采取一些安全措施。 现在我需要把这些信息浓缩到100字以内。重点包括:Sammy利用AI工具发现漏洞、控制大量机器人、数据泄露问题、AI工具带来的安全威胁增加、以及建议的安全措施。 可能的结构:Sammy利用AI工具发现DJI漏洞,控制7000多机器人吸尘器和移动电源站,导致隐私泄露和安全风险。文章强调AI降低了攻击门槛,并建议用户采取措施保护隐私。 检查一下字数是否在100字以内,并确保没有使用禁止的开头。 </think> Sammy Azdoufal利用AI工具发现DJI漏洞,操控7,000个机器人吸尘器及移动电源站,暴露隐私与安全风险。文章指出AI降低攻击门槛,并建议用户采取措施保护隐私。 2026-2-17 10:20:49 Author: www.malwarebytes.com(查看原文) 阅读量:0 收藏

Sammy Azdoufal wanted to steer his robot vacuum with a PS5 controller. Like any good maker, he thought it would be fun to drive a new DJI Romo around manually. He ended up gaining access to an army of robotic cleaners that gave him eyes into thousands of homes.

Driven by purely playful reasons, Azdoufal used Anthropic’s Claude Code AI coding assistant to reverse-engineer his Romo’s communication protocols. But when his homebrew app connected to DJI’s servers, roughly 7,000 robot vacuums across 24 countries started answering.

He could watch their live camera feeds, listen through onboard microphones, and generate floor plans of homes he’d never visited. With just a 14-digit serial number, he pinpointed a Verge journalist’s robot, confirmed it was cleaning the living room at 80% battery, and produced an accurate map of the house from another country.

The technical failure was almost comically basic. DJI’s MQTT message broker had no topic-level access controls. Once you authenticated with a single device token, you could see traffic from others device in plaintext.

It wasn’t only vacuums that answered back. DJI’s Power portable battery stations, which run on the same MQTT infrastructure, also showed up. These are home-backup generators expandable to 22.5kWh, marketed for keeping your house running during outages.

What makes this different from a conventional security discovery is how it happened. Azdoufal used Claude Code to decompile DJI’s mobile app, understand its protocol, extract his own authentication token, and build a custom client.

AI coding tools are lowering the bar for advanced offensive security. The population capable of probing Internet of Things (IoT) protocols just got much, much larger, further eroding any remaining faith in security through obscurity.

Why plenty of IoT vacuum cleaners suck

This isn’t the first time someone has remotely pwned a robot vacuum cleaner. In 2024, hackers commandeered Ecovacs Deebot X2 vacuums across US cities, shouting slurs through speakers and chasing pets around. Ecovacs’s PIN protection was checked only by the app, never by the server or the device.

Last September, South Korea’s consumer watchdog tested six brands. While Samsung and LG fared well, and found serious flaws in three Chinese models. Dreame’s X50 Ultra allowed remote camera activation. Researcher who Dennis Giese later reported a TLS vulnerability in Dreame’s app to CISA. Dreame didn’t respond to CISA’s queries.

The pattern keeps repeating: manufacturers ship vacuums with textbook security failures, ignore researchers, then scramble when journalists publish.

DJI’s initial response made things worse. Spokesperson Daisy Kong told The Verge the flaw had been fixed the prior week. That statement arrived about thirty minutes before Azdoufal demonstrated thousands of robots, including the journalist’s own review unit, still reporting in live. DJI later issued a fuller statement acknowledging a backend permission validation issue and two patches, on February 8 and 10.

DJI said that TLS encryption was always in place, but Azdoufal says that protects the connection, not what’s inside it. He also told The Verge that additional vulnerabilities remain unpatched, including a PIN bypass on the camera feed.

Regulators are applying pressure

Regulation is arriving, slowly. The EU’s Cyber Resilience Act will require mandatory security-by-design for all connected products sold in the bloc by December 2027, with fines up to €15 million. The UK’s PSTI Act, in force since April 2024, became the world’s first law banning default passwords on smart devices. The US Cyber Trust Mark, by contrast, is voluntary. These frameworks technically apply regardless of where the manufacturer sits. In practice, enforcing fines on a Shenzhen company that ignores CISA coordination requests is a different proposition entirely.

How to stay safe

There are practical steps you can take:

  • Check independent security testing before buying connected devices
  • Place IoT devices on a separate guest network
  • Keep firmware updated
  • Disable features you don’t need

And ask yourself whether a vacuum really needs a camera. Many LiDAR-only models navigate effectively without video. If your device includes a camera or microphone, consider whether you’re comfortable with that exposure—or physically cover the lens when not in use.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

About the author

Danny Bradbury has been a journalist specialising in technology since 1989 and a freelance writer since 1994. He covers a broad variety of technology issues for audiences ranging from consumers through to software developers and CIOs. He also ghostwrites articles for many C-suite business executives in the technology sector. He hails from the UK but now lives in Western Canada.


文章来源: https://www.malwarebytes.com/blog/news/2026/02/hobby-coder-accidentally-creates-vacuum-robot-army
如有侵权请联系:admin#unsafe.sh