The PS5 Controller That Hacked 7,000 Homes: A Cautionary Tale of IoT Hubris

The Weekend Project That Went Global

Sammy Azdoufal just wanted to control his new DJI Romo vacuum with a PS5 controller. As a reach strategist with an AI background, he turned to Claude, an AI coding assistant, to whip up a custom app. It was supposed to be a neat hack for his living room—something to show off to friends. But within minutes, his screen lit up with data from thousands of devices across 24 countries. He hadn't just connected to his vacuum; he'd stumbled into a backdoor to 7,000 homes. This wasn't a targeted attack by some shadowy hacker; it was a casual experiment that exposed how fragile our smart devices really are.

The Flaw: A Server Without Walls

The core issue was shockingly simple. DJI's server handling communication between the Romo vacuums and the cloud lacked topic-level access controls. In plain terms, once Azdoufal authenticated with his device token, the server treated him like he owned every vacuum connected to it. There were no internal barriers—no checks to see if he should be accessing data from other users. It's like giving someone a key to one apartment in a building and realizing it opens every door. The vulnerability allowed access to:

• Live video feeds from the vacuum's onboard camera
• Microphone audio recordings
• 3D floor plans of homes
• Real-time device status and controls

This isn't just a privacy nightmare; it's a systemic failure in how we architect IoT security. Many companies prioritize convenience over robust access management, assuming users won't poke around. Azdoufal's discovery proves that assumption is dangerously naive.

AI's Role: Accelerator, Not Villain

Let's be clear: the AI assistant Claude didn't cause the hack. Azdoufal used it to tweak the communication protocol between his app and DJI's servers, speeding up what would have been a tedious coding task. AI here acted as a force multiplier for curiosity, lowering the barrier to explore system boundaries. This highlights a new reality: as AI tools become ubiquitous, they'll empower more people to test limits—intentionally or not. The takeaway isn't to fear AI, but to recognize that our systems need to be resilient against this kind of probing. If a casual user with an AI helper can uncover such a gap, imagine what a determined adversary could do.

"I wasn't trying to hack anyone else's robot vacuum. It was merely a fun project." — Sammy Azdoufal, in an interview with The Verge

The Fallout and the Fix

DJI moved fast once Azdoufal reported the issue. By February 24, they'd patched the authentication loophole, restricting access to prevent unauthorized data leakage. Azdoufal received a bounty of around 500 million yen (roughly $3.3 million), a hefty reward that underscores the severity of the flaw. But this incident ripples beyond one company. It exposes a broader pattern in IoT security: too many devices are shipped with minimal security testing, relying on obscurity rather than robust design. The Romo vacuums, like many smart home gadgets, were designed for ease of use, with security as an afterthought. This case should be a wake-up call for manufacturers to bake in zero-trust architectures from the start.

What This Means for the Industry

First, topic-level access controls aren't optional—they're essential for any cloud-connected device. Second, bug bounty programs are critical, but they're reactive; we need proactive security audits. Third, as AI tools democratize tinkering, companies must assume users will probe their systems and design accordingly. The PS5 controller hack isn't an anomaly; it's a preview of a future where everyday tech can have global consequences. We're building a world where our homes are nodes in a vast network, and this story shows how easily that network can be compromised by a single oversight.

In the end, Azdoufal's accidental discovery is a stark reminder: in the race to connect everything, we can't afford to forget the basics. Security isn't a feature; it's the foundation. As we integrate more devices into our lives, let's demand better—because the next hack might not be so harmless.