A hobbyist trying to control his robot vacuum with a PS5 controller accidentally exposed a massive security flaw — and ended up with access to thousands of other people’s devices. The story of the DJI Romo vulnerability is a striking reminder that the smart home gadgets vacation rental managers rely on to impress guests and streamline operations can also become unexpected entry points for security breaches. If your property has a robovac, a smart lock, or any connected device, this story is worth your attention.
A Harmless Experiment That Spiraled Into a Mass Vulnerability
What started as a fun DIY project revealed that DJI’s Romo robot vacuum had virtually no meaningful security controls protecting its remote access protocol.
Sammy Azdoufal, a developer who simply wanted to pilot his new DJI Romo vacuum using a PlayStation 5 gamepad, built a custom app to interface with the device. What he discovered in the process was alarming: the vacuum communicated over an MQTT protocol — a lightweight messaging system common in IoT devices — with almost no authentication or access controls in place. Once he understood the structure of the communication, he wasn’t just talking to his own vacuum. His app began connecting to thousands of other DJI Romo units owned by people around the world.
This wasn’t a sophisticated cyberattack. There was no brute-force cracking, no advanced malware. The door was simply left wide open. The DJI Romo, like many consumer IoT devices, appears to have been designed with convenience prioritized over security. For everyday consumers, this is concerning enough. For vacation rental managers who place these kinds of devices inside guest-occupied properties, the implications run deeper.
Smart Devices in Rentals Carry Real Liability and Privacy Risks
Robot vacuums and other connected devices placed in rental properties can expose both guests and managers to privacy violations and unauthorized access if not properly vetted.
Many vacation rental properties now include smart home technology as a selling point — robot vacuums, smart thermostats, keyless entry systems, and even security cameras in common areas. Guests often appreciate the convenience, and managers benefit from the operational efficiency. But the DJI Romo situation highlights a risk that’s easy to overlook: you may not fully control the device you’ve placed in your property.
Robot vacuums with cameras — a feature found on several premium models — are particularly sensitive. If a device like the Romo can be remotely accessed by an unauthorized third party, that camera feed could potentially be viewed by someone outside your property entirely. Even without cameras, unauthorized control of a device inside a guest’s temporary home is a serious privacy concern and could expose a property manager to legal liability depending on local regulations.
Before placing any connected device in a rental unit, managers should research the manufacturer’s security track record, check whether firmware is regularly updated, and understand what data the device collects and transmits. Tools like Lodgix can help you keep detailed records of the devices and amenities in each property, making it easier to track when updates or replacements are needed across your portfolio.
Practical Steps Managers Can Take Right Now
Proactive security hygiene around smart devices is not just an IT concern — it’s a guest trust and business reputation issue.
You don’t need to be a cybersecurity expert to take meaningful steps to protect your properties and guests. Here are some straightforward actions worth considering:
- Audit the connected devices in your rentals. Know exactly what’s installed, what network it’s on, and whether it has camera or microphone capabilities.
- Keep firmware and apps updated. Many vulnerabilities are patched through updates. Enable automatic updates where possible.
- Use a separate guest Wi-Fi network. Isolating smart devices on a dedicated network limits how far a potential breach can spread.
- Vet devices before purchasing. Look for brands with transparent security policies and a history of responding to vulner
