Cybersecurity

Dumpster Fire as a Service

Charles henderson

Charles Henderson

EVP, Cyber Security Services, Coalfire

March 2, 2026
Robot Vacuum Security Breach

Here We Go Again...

As I told my team this week, when you throw a Molotov cocktail into a dumpster fire, the casual observer rarely notices. 

The Internet of Things, like most technological advances, is a double-edged sword that brings both conveniences and frustrations. I’ve seen a lot of the latter lately. And by lately, I mean for the last decade; however, it’s consumers that have borne the burden of the IoT hellscape. 

I’m a tech-inclined person, and if you’re reading this, you likely are too. A lot of people are either never going to be savvy or are so burned out from hearing about IoT breaches and poor security practices they no longer care. 

Why did I talk to my team about dumpster arson? 

Because of an example so egregious, I must call the company out by name. If you’ve followed my posts for the last couple of decades, you know that I pretty much never do that. Therefore, before we move on, I’m awarding a special shoutout for demonstrating security practices so poor that I had to sit down and write this.

The Vacuum That Really Sucks

Recently, tech outlets reported on Sammy Azdoufal’s project to “remote control his brand-new DJI Romo vacuum with a PS5 gamepad". In the process of developing his app, he accidentally gained access to nearly 7,000 vacuums all over the world. What’s exceptionally horrific is that he didn’t just gain control of their movements; they also had cameras. He was seeing inside people’s homes. 

In a nutshell, he extracted the private key assigned to his own vacuum, but for some reason the backend servers allowed him to access thousands of others. According to Sammy, DJI has since fixed the misconfiguration. 

While these development practices are amateur hour, they are far from the exception. In fact, it’s the norm. We all see examples of poor IoT security in the news, often from developers that are rushing to ship the product as fast as possible. Unfortunately, there are far more that you don’t hear about. 

I’ve led expert teams of hackers, defenders, analysts, and developers for quite a while and we’ve seen it all, from airplane systems to ATMs, autonomous vehicles, smart toilets and everything in between (yes, the smart toilet was one of my favorite projects, and yes, we did find vulnerabilities). 

In fact, it’s so trivial to find vulnerabilities in most commercial IoT devices, that it’s something our interns do as a capstone project before graduating out of the program. Last year they found plenty of vulnerabilities in widely used dashcams. 

What can be done about it? 

The answer to the question above depends on who’s reading this. I’ll break it into three sections, consumers, enterprises, and manufacturers. 

Consumers

You need to be aware that at least some IoT devices in your home, in your car, or on your person have vulnerabilities that could put you at higher risk of having your personal data compromised. Many people simply don’t care, and that’s okay, as long as they’re aware the risk is there. For those that do care, you can try isolating IoT devices on their own network subnet. You could selectively disable Internet access when you’re not using the device, or even never connect it in the first place (I’m looking at you, fridges with ads). Finally, the US government is working on a plan to deploy a voluntary “Cyber Trust Mark” that will set baseline cybersecurity requirements for manufacturers. Keep an eye on that program. 

Corporations and Other Enterprise Environments

You have more options than consumers. Your switches and routers should be easily configurable to isolate devices on VLANs with limited access to the Internet and internal systems. When you select IoT vendors, demand that they provide documentation about their security practices including evidence of regular security testing. For particularly sensitive devices, bring in experts to perform your own penetration testing. Most of the IoT testing my teams have performed was not initiated by the manufacturers; security-conscious organizations recognize the need to measure the risk themselves.

Developers and Manufacturers

Please test your devices before shipping. I made jokes about the smart toilet, but I really commend that organization for taking their product’s security so seriously. We have enterprises come to us frequently looking to understand what could go wrong if a bad actor wanted to attack their product. This is a normal and healthy part of any secure development practice. At the end of the day, every IoT manufacturer has a duty to their customers to provide them with a device that’s not vulnerable out of the box. 

So, until IoT manufacturers get serious about security, my team and I will be watching the dumpster fire, waiting for a robot vacuum army 7,000 strong. Maybe we can connect it to OpenClaw.

Learn More