A man used Claude Code to hack thousands of robot vacuums by accident
A Claude Code side project accidentally broke into thousands of DJI devices. The implications go further.
Using Claude Code, a man accidentally broke into thousands of live DJI Romo robot vacuums, accessing camera feeds and remotely controlling them.
This UnfilteredFriday, let's talk about IoT security and where AI could get us.
Whoops, I hacked your vacuum
Hoping to link his brand-new DJI Romo vacuum to a PS5 controller for a geeky side project, Sammy Azdoufal fired up Claude Code and got to work. By reverse engineering the protocol used to communicate with the vacuum, he gained direct control of his robot.
But it turned out it also gave him access to thousands of other DJI robot vacuums too. Sammy could check battery levels, view live camera feeds, remotely control robots, listen through microphones, and generate 2D maps of each home. With the IP addresses of the robots, he could also estimate the location of each device.
In simple terms
The DJI Romo uses the well-established and robust MQTT protocol to communicate with DJI servers and the official mobile phone app. Proper authentication was required to access a DJI Romo, but poor design meant any authentication token could be used to control all connected robot vacuums.
This wasn't a problem with the official app, which restricted access to local devices. But when Sammy extracted his own authentication token using Claude Code, it gave him access to every device out there. For the uninitiated, an authentication token is a temporary, unique code issued upon verification of a password, ensuring that the password doesn't need to be resent every time.
Anything can be hacked
When the story first broke earlier in the week on The Verge, DJI had already been informed and sent a statement that the issue was resolved prior to public disclosure. Sammy claims other weaknesses remain, though he could no longer see or hear through other devices.
The issue here is weak app design on the part of DJI. However, it's worth noting how Claude Code lowered the barriers of entry, making it far easier to find or exploit security flaws.
The other consideration is this: if even a commercial product from a major manufacturer could contain such security oversights, what of vibe-coded apps created by non-technical users?
I personally operate on the assumption that my home smart devices can be compromised. Cybersecurity is often last on the list for consumer products, and devices are rarely, if ever, patched after they are released.
Are we facing a potential vibe-coded security apocalypse?
