True story. Sammy Azdoufal decided he wanted to drive his DJI Robo vacuum cleaner using his Xbox controller (as you do). He used Claude to reverse engineer their API and grabbed an auth token. It worked — he was steering his vacuum around the house like a remote-control car.

Hold on though.

He found that he could also access all of the other company's 7,000 live devices in 24 countries. He could use the onboard camera, check out the stored floor data, and everything else these clever little devices do. It turned out that the backend trusted any valid token for any device, with no ownership verification.

The Lesson

The universe keeps teaching us the same lesson in increasingly creative ways: never trust input, never assume context, and always check ownership. Especially when your product has wheels and a camera.

This is textbook IDOR — Insecure Direct Object Reference. The API checked "are you logged in?" but never checked "is this your device?" It's the hotel key card that opens every room, not just yours. OWASP has been screaming about this one (Broken Object Level Authorization) for years, and yet here we are — with a robot vacuum proving the point.

What Every API Builder Should Remember

• Implement object-level authorization on every endpoint. Not just "is this user authenticated?" but "does this user own this resource?"
• Use scoped tokens tied to specific device or resource IDs. A token that works for everything is a skeleton key.
• Monitor unusual access patterns. One user hitting thousands of device endpoints should set off alarms.
• Treat IoT APIs with the same rigor as financial APIs. These devices have cameras inside people's homes.

The lesson is as old as APIs themselves. But the universe found a way to teach it with a robot vacuum and an Xbox controller.

Originally posted on LinkedIn.

Building an API or IoT platform? Make sure your auth doesn't let strangers drive your customers' vacuums. FREE TECHNICAL TRIAGE →