It is an unsettled holiday period for Chinese tech giant DJI. A report from The Verge says several serious security vulnerabilities allowed an engineer to access roughly 7,000 units of DJI’s first robot vacuum cleaner worldwide, including live camera feeds.
Incidents like this surface regularly in the smart home industry, particularly among camera makers. As more household devices integrate cameras for navigation, monitoring, or security purposes, concerns grow over who may be watching inside private homes. For a company of DJI’s scale, which is expected to operate a top-tier security engineering team and recently joined the Connectivity Standards Alliance, the exposure is striking. It is even more concerning given that the issue reportedly affected the company’s first robot vacuum model.
Should you worry about it?
DJI says the issue has been fixed and that there should no longer be unauthorized access to robot vacuum camera feeds. However, as the original reporting from The Verge notes, additional vulnerabilities were identified during the investigation. As a precaution, users may want to block the device’s network access at the router level until they are confident all updates have been applied.
In a statement sent to Matter Alpha, DJI said:
“DJI identified a vulnerability affecting DJI Home through internal review in late January and initiated remediation immediately. The issue was addressed through two updates, with an initial patch deployed on February 8 and a follow-up update completed on February 10. The fix was deployed automatically, and no user action is required.
DJI maintains strong standards for data privacy and security and has established processes for identifying and addressing potential vulnerabilities. The company has invested in industry-standard encryption and operates a longstanding bug bounty program. We have reviewed the findings and recommendations shared by the independent security researchers who contacted us through that program as part of our standard post-remediation process. DJI will continue to implement additional security enhancements as part of its ongoing efforts.”
At present, DJI robot vacuum cleaners can only be controlled through the vendor’s mobile app or physical buttons on the device. There are no third-party platform integrations or local control options as far as I know. The remote access revealed in the report was achieved by reverse engineering the app via AI. DJI has published a detailed visual user guide for the Romo series in Chinese, but it does not include instructions related to privacy or security controls. That omission raises questions about how much emphasis was placed on security design at launch.
A trigger to accelerate Matter adoption?
Cameras inside the home remain one of the most sensitive device categories. Many platforms already support mature local-only camera protocols alongside Matter, allowing devices to function without mandatory cloud access or vendor apps.
Robot vacuum cleaners sit in a difficult position. They combine navigation, mapping, obstacle recognition, and sometimes cameras, with technology stacks that vary widely across vendors. Matter and other existing standards currently cover only a small portion of these features. Core functions such as floor maps, room selection, and camera access remain largely unavailable across platforms, let alone through Matter.
DJI’s recent entry into the Connectivity Standards Alliance could make this incident a turning point. Security expectations are significantly higher in overseas markets, and a failure like this on the company’s first smart home product could damage trust quickly, regardless of cleaning or routing performance.
So far, there is no visible activity in the Matter Distributed Compliance Ledger (DCL) indicating active Matter development or certification from DJI. The most recent progress in this area came after SmartThings announced Matter camera support, followed by Aqara obtaining the first Matter camera certification for its G350, according to the company’s official social media post.
(Source: The Verge, DJI, Aqara CN; Image: Matter Alpha/Ward Zhou)
