A harmless side project resulted in an unexpected glimpse inside thousands of homes, exposing just how thin the line between ownership and access has become. What started as a geek’s experiment ended as a reminder that the devices we control may not be entirely ours to command.
When Spanish software engineer Sammy Azdoufal started messing around with the code of his new robot vacuum cleaner at the start of this year, he did it with the most innocent (and geeky) of intentions. All he wanted was to be able to steer his robot vacuum with a gaming controller, as if it were a dust-sucking remote control car. Fun, right?
It’s the sort of side project that tends to live and die on a GitHub repository, noticed only by a handful of people who appreciate the technical novelty and dedication to a trivial idea. Instead, it ended with Azdoufal accidentally gaining access to thousands of other people’s homes.
And I don’t mean that metaphorically. Because although Azdoufal only wanted to hack his own vacuum cleaner, what he really achieved was unlimited access to 7,000 of them.
The king of the robovacs
While building the custom controller for his DJI Romo robot vacuum, Azdoufal reportedly used an AI coding assistant to help reverse-engineer how the device communicated with its cloud servers. This line of communication, in itself, is not unusual. Many modern consumer devices are less self-contained machines than they are endpoints in a larger network, constantly talking to remote systems in order to function. Welcome to what’s called the Internet of Things (or IoT for short).
To control his own vacuum, Azdoufal needed to replicate that conversation. He needed credentials – digital proof that he was the rightful owner of the device – so that his app could issue commands and receive data. What he found, however, was not a neatly fenced-off system tied to a single machine. Instead, it was a wide open door.
The same credentials that allowed him to see and control his own robot gave him simultaneous access to nearly 7,000 models of the same robot vacuum across 24 countries. Through what appears to have been a backend security flaw, Azdoufal could access live camera feeds, microphone audio, spatial maps, and status data from devices he did not own and had never interacted with, inside the homes of people he had never met before.
For a brief moment, he had what can only be described as a distributed, global surveillance system, assembled not through malice, but by pure accident.
Azdoufal does the right thing
To his credit, Azdoufal did not treat the discovery as an opportunity.
There is a version of this story that plays out very differently – one where curiosity turns into exploitation. Even if Azdoufal himself didn’t make use of his live feed into strangers’ homes for malicious or criminal purposes, he could have sold that access to others who would. The tools were there. The access was real. And, for a brief moment, it appears to have been largely undetected and unrestricted.
Fortunately, he chose not to go down that path. Instead of probing further, Azdoufal documented what he had found and shared it with journalists, who in turn contacted DJI to report the issue. Following the responsible disclosure, DJI awarded him a $30,000 bug bounty for identifying the vulnerability (a standard industry practice designed to encourage exactly this kind of restraint).
DJI also made a statement about the incident, saying that it plans to “continue to implement additional security enhancements”, but did not specify what those may entail.
7,000 eyes
The device in question, the DJI Romo, is not especially unusual by robovac standards. It is an autonomous vacuum and mop like so many of its peers, equipped with cameras and sensors that allow it to navigate a home, distinguish between rooms, and avoid obstacles. It can be scheduled and monitored through an app, but most of its work happens independently.
In order to do that work, however, it needs to “see”. It needs to collect visual data about its environment, build maps, identify surfaces, acclimatise to its owner’s routines and update its understanding as the home changes. Some of that data is processed locally, but a significant portion is sent to and stored on remote servers.
In other words, the vacuum you bought to clean your floors is also, by necessity, a device that continuously documents the layout, contents and rhythm of your home and communicates that information to a server, probably hosted on a cloud somewhere.
This is not a hidden feature. It is simply part of what we accept as the cost of convenience.
The illusion of ownership
If you went out and bought a robot vacuum today, you would assume that you own it.
After all, you paid for it. It sits in your home, charging itself using your electricity. It responds to your commands. It cleans your floors on a schedule you set. Ownership, in the traditional sense, seems straightforward. And yet, in practice, that ownership comes with conditions, as we’ve now learned. This is not unique to robot vacuums. In fact, if we look closely, we may spot a pattern that has reshaped consumer technology over the past decade.
Printers, for instance, increasingly rely on subscription models that can limit functionality if payments lapse. Features that once belonged to the physical device are now tied to ongoing subscription services. Stop paying, and the machine you “own” may be remotely deactivated. Despite owning the hardware, the paper and the ink required, you may find yourself unable to print a single page.
Smartphone updates are often framed as improvements. And, in many cases, they are. They patch security flaws, introduce new features, and extend the lifespan of devices that might otherwise become obsolete. In theory, an update is something you receive. In practice, it is something that happens to your device – sometimes with your consent, sometimes with only the appearance of it.
Over the past few years, several high-profile updates have reminded users of that distinction.
In the first quarter of 2025, Samsung was forced to pause the global rollout of a major Android update after a bug prevented some users from unlocking their own phones. For those affected, the object in their hands – a device they had paid for and relied on – became temporarily inaccessible because of a software change they didn’t ask for, which was delivered completely remotely.
Even when updates don’t break functionality outright, they can still disrupt the familiarity that makes a device feel like yours. Apple’s more recent iOS releases, for instance, have drawn widespread complaints about changes to core features as basic as typing. Users reported erratic autocorrect, lagging keyboards, and interfaces that behaved differently from one day to the next. These may be small shifts, but they tend to accumulate into a sense that the device you own is being controlled by someone else.
In each of these cases, the same pattern reveals itself. Whether a printer, a phone or a robot vacuum, the physical object is only part of the system. The rest exists elsewhere, in infrastructure that the user does not control.
Ownership, then, becomes something closer to a negotiated experience than a fixed state.
Who’s controlling who?
There is a certain irony in the fact that Azdoufal began with the intention of gaining more direct control over his own device. He wanted to bypass the standard interface and to interact with the machine on his own terms. In trying to take control, he briefly revealed how diffuse that control had become.
It is tempting to treat episodes like this as technical anomalies – bugs to be fixed, patches to be deployed, lessons to be filed away for future engineers. But they also function as glimpses into the underlying architecture of modern life and reminders of what we own, and what we don’t
You can still buy the device. You can still place it in your home. You can still press the button that sets it in motion. But somewhere between that button and the movement of the machine, there is a chain of dependencies that now extends far beyond your walls.
Most of the time, that chain works exactly as intended. Occasionally, as Azdoufal discovered, it does not.
As scary as it may be to contemplate, the outcome of that situation depends on the human who cracks the code, on purpose or otherwise. In this case, it was a good one.
About the author: Dominique Olivier
Dominique Olivier is the founder of human.writer, where she uses her love of storytelling and ideation to help brands solve problems.
She is a weekly columnist in Ghost Mail and collaborates with The Finance Ghost on Ghost Mail Weekender, a Sunday publication designed to help you be more interesting. She now also writes a regular column for Daily Maverick.
Dominique can be reached on LinkedIn here.
