A guy wanted to drive his vacuum with an Xbox controller. He ended up with live camera feeds from 7,000 homes in 24 countries.
The US government spent two years debating whether DJI theoretically could spy on Americans. Congress passed the NDAA, triggered an automatic FCC Covered List placement, effectively banned new DJI products from the US market in December 2025.
The entire argument was hypothetical. “Chinese drones could enable persistent surveillance and data exfiltration.” No public evidence of actual misuse. DJI challenged the designation in court and lost. They published security white papers. They offered to submit to audits. Nobody took them up on it.
Then Sammy Azdoufal in February 2026 pulls his own auth token from a $2,000 DJI robot vacuum, and DJI’s servers hand him the keys to 7,000 units in 24 countries. Live camera feeds. Active microphones. Complete floor plans of strangers’ homes. IP addresses showing approximate locations. Every device phoning home MQTT data packets every three seconds.
The authentication token was based on the device serial number with zero ownership verification. Any valid credential worked for any unit on the planet. He cataloged 6,700 devices and collected over 100,000 messages in nine minutes.
Azdoufal used Claude Code to reverse-engineer his own vacuum’s protocol. He didn’t crack anything, didn’t brute force anything, didn’t bypass anything. DJI just never built the wall.
And this is the second time in 18 months. In May 2024, hackers took over Ecovacs Deebot X2 vacuums across multiple US cities, yelling racial slurs through the speakers and chasing dogs around living rooms. That vulnerability was disclosed at a hacking conference in December 2023. Ecovacs acknowledged it, said users “do not need to worry excessively,” and shipped an insufficient patch.
The pattern tells you everything about how Chinese IoT companies think about software. World-class hardware, authentication systems that wouldn’t pass a first-year security course. The PIN protecting Ecovacs’ video feed was only validated by the app, not the server. DJI’s MQTT broker accepted any authenticated client for any device topic. Someone designed these systems, reviewed them, and shipped them knowing cameras and microphones would be inside people’s homes.
Washington spent two years arguing about whether DJI might collect your data. Azdoufal proved that DJI couldn’t even stop a hobbyist from collecting everyone’s data by accident. And 54 million US households have at least one smart home device installed, with that number growing every year.
The question Congress should have been asking all along: does DJI know how to secure data in the first place? Now we have the answer.
Quote
Mark Gadala-Maria
@markgadala
This story is actually insane:
• dude drops $2000 on a DJI robot vacuum like a lunatic
• refuses to use the normal app like a peasant
• Sammy Azdoufal fires up Claude to crack the API so he can drive it with an xbox controller
• Claude delivers the goods
• pulls an auth
Show more