Software Engineer Accidentally Controls 7,000 Robot Vacuums, Exposing Security Flaw

A software engineer accidentally gained control of 7,000 robot vacuums while attempting to control his own DJI vacuum with a video game controller. The engineer discovered that the authentication token provided API-level access to all devices, not just his own, exposing live camera feeds, microphone audio, maps, and status data from vacuums across 24 countries. The issue stemmed from overprovisioned credentials and a lack of owner consent for accessing sensitive hardware. The incident revealed a backend security flaw that could turn the devices into unintended surveillance tools.