Skip to content
Chimera readability score 0.4971 out of 100, reading level.

Someone tries to remote control his own DJI Romo vacuum, and ends up controlling 7,000 of them from all around the world.
The IoT is horribly insecure, but we already knew that.
Someone tries to remote control his own DJI Romo vacuum, and ends up controlling 7,000 of them from all around the world.
The IoT is horribly insecure, but we already knew that.
Clive Robinson • March 19, 2026 10:10 AM
@ Bruce, ALL,
With regards,
“The IoT is horribly insecure, but we already knew that.”
It’s not what “we already knew” it’s about what the many others don’t know that really matters.
The reality is that “vibe coding” is heading toward IoT devices near you any time soon… And with them spread far and wide, security will be even worse for everyone…
I guess the real question will be,
“How long before the Internet is unusable, due to the proliferation of junk code on junk hardware?”
Rontea • March 19, 2026 10:59 AM
This isn’t some edge case—it’s the predictable result of shipping connected products with minimal authentication, insecure communication protocols, and no meaningful patching strategy.
The industry keeps racing to connect everything to the Internet, from vacuums to refrigerators, and the result is a global network of vulnerable devices waiting to be abused. We’ve known this for years, and yet the market rewards speed and low cost over security. Until manufacturers are held accountable—and until regulation enforces baseline security standards—these kinds of hacks will only get worse.
Bernie • March 19, 2026 11:17 AM
Some correct me if I’m wrong.
The article’s sub-headline-thing reads, “The immediate threat may be fixed, but this raises serious questions.” What serious questions does it raise (that haven’t already been raised long enough ago)? Or am I reading too much into that sentence? Is it more clickbait than anything?
lurker • March 19, 2026 1:36 PM
@Bernie, Clive Robinson
You must be as old as me. @Clive said it above:
“it’s about what the many others don’t know that really matters.”
We know that putting a vacuum cleaner on the internet is a daft idea fraught with peril. But the Verge article observes:
“… it’s not surprising that a robot vacuum cleaner with a smartphone app would phone home to the cloud. For better or for worse, users currently expect those apps to work outside of their own homes. Unless you’ve built a tunnel into your own home network, that means relaying the data through cloud servers first.” [emphasis added]
I expect Azdoufal and many readers of this blog could build their own VPN to control their cleaner from outside their home. But for the average user … So one of the serious questions raised is,
Should IoT makers give users what they want, or what they need? Note that what they need (security, privacy) will cost more than just what they want.
John • March 19, 2026 2:30 PM
IoT devices with internet access are utter nonsense.
The IoT makers could provide an app that runs locally and talks to the IoT devices, inside the firewall. They can poll for instructions from the cloud.
Then we would be discussing security bugs in the app. Security bugs in an app aren’t new, of course, but they are far easier to patch.
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
Wow • March 19, 2026 6:01 AM
Pretty impressive screwup for a company like DJI. Interesting read! Somehow I’m first

Facts Only

* Clive Robinson published an article on March 19, 2026.
* Someone gained remote control of a DJI Romo vacuum.
* This control extended to approximately 7,000 units worldwide.
* The incident demonstrates vulnerabilities in IoT devices.
* “Vibe coding” is a concern for IoT device security.
* The industry prioritizes speed and low cost over security.
* Users expect apps to work outside their homes.
* A VPN could be used to control the vacuum remotely.
* Manufacturers could use a local, firewall-protected app.
* Security bugs in apps are easier to patch than cloud vulnerabilities.
* The incident raises questions about the usability of the internet.

Executive Summary

The article details a security incident involving a DJI Romo robot vacuum cleaner, which led to the unauthorized remote control of approximately 7,000 units globally. The incident highlights significant security vulnerabilities within the Internet of Things (IoT) ecosystem, specifically concerning minimal authentication, insecure communication protocols, and a lack of patching strategies. Clive Robinson emphasizes the importance of unaddressed vulnerabilities rather than previously acknowledged ones. Rontea argues that the situation is predictable given the industry’s prioritization of speed and low cost over robust security measures, contributing to a global network of vulnerable devices. Bernie raises questions about the appropriate balance between user expectations and security considerations within IoT devices, focusing on the potential cost differential. Lurker’s analysis points to a potential issue with users expecting functionality outside of their home network, exacerbated by the prevalence of VPNs. John suggests a more secure approach by utilizing a local, firewall-protected app for controlling the vacuum, rather than relying on cloud connectivity. The article concludes with a broader concern regarding the potential for widespread disruption of the internet due to insecure IoT devices.

Full Take

The article presents a stark illustration of the "known unknown" problem within the IoT, framed as a series of escalating vulnerabilities rather than a singular, shocking event. The core narrative—that the focus on speed and cost has created a globally distributed network of insecure devices—aligns with ARC-0043 (Motte-and-Bailey) concerning the predictable nature of technical failures when security is consistently sacrificed. Robinson’s observation about “what the many others don’t know” taps into ARC-0024 (Ambiguity) – a deliberate obfuscation of risk to fuel a race to market. The tension between user expectations (as highlighted by Lurker) and the actual technical design—a cloud-dependent app—reveals a fundamental misalignment between product development and human needs, a pattern ARC-0017 (Systemic Drift) often exhibits when companies prioritize metrics beyond genuine security. John’s proposed solution—a local app—represents a deliberate retreat from the problematic cloud-centric model, a maneuver easily dismissed as technoptimism, despite its potential efficacy. However, the article’s concluding question—whether the internet is “unusable”—is a classic example of ARC-0008 (False Framing), presenting a hyperbolic worst-case scenario designed to generate concern. The underlying paradigm is one of relentless expansion and connection, driven by an unacknowledged assumption that complexity can be managed through technical solutions alone – a dangerous assumption readily exploited by actors seeking to weaponize vulnerabilities. The implications, as highlighted by Bernie, are profound: the erosion of trust, the potential for widespread surveillance, and the exacerbation of existing power imbalances. This situation demands not just patching but a fundamental re-evaluation of the business model driving the IoT, and a willingness to prioritize genuine security over mere connectivity. The article's concluding question highlights a systemic issue—ARC-0031 (Sanewashing)—as it attempts to legitimize a fundamentally insecure system by framing the problem as simply “junk code on junk hardware.” The potential counterstrike, if this narrative were intentionally amplified, would involve deploying deliberately misleading information regarding the extent of the vulnerability, creating a sense of panic and encouraging rushed, ill-informed decisions.