A French engineer. 7,000 devices. 24 countries. One AI coding assistant.
That’s the real anatomy of February 2026’s “Accidental Army” incident.
If you ever made your way to season 2 of Mr. Robot, you’ll remember the scene where fsociety takes over a CEO’s smart home: the thermostat spins out of control, the alarms go off, the media blares — all to drive her out.
That sequence isn’t too far from what actually happened this February with DJI’s Romo vacuums.
Sammy Azdoufal, a software engineer based in France, bought a DJI Romo vacuum and decided to steer it with a PS5 controller — mostly for fun.
To make the controller communicate with DJI’s cloud servers, he used an AI coding assistant called Claude Code to help reverse-engineer the system.
Instead of just accessing his own vacuum, he uncovered a backend authorisation flaw.
Roughly 7,000 Romo units across 24 countries were exposed. That included devices in Australia.
According to reporting by The Verge, the flaw allowed access to live camera feeds, microphone audio, detailed 2D floor maps and approximate IP-based location data.
Not scraped data. Not metadata. Actual in-home visibility.
Azdoufal wasn’t one for exploiting it. He reported it. DJI confirmed the vulnerability and pushed out two emergency patches, fully resolving the issue by February 10, 2026.
The breach is now closed.
But the context matters: DJI’s AI-powered vacuums are now officially available in Australia. Which means this isn’t a distant, theoretical tech scare.
These are camera- and mic-equipped devices mapping real homes.
Hackers and lurkers are probably rubbing their hands together at the thought – every smart app, camera, and connected gadget in your home is potentially ripe for a takeover.
That’s how thin the line is between convenience and chaos.
