Xiaomi Smart Home integration with Google disabled following possible breach

[WkdPaul]

Looks like there was an issue with some Xiaomi branded cameras that, under the right circumstances, would show random still images of other Xiaomi camera users. Apparently Google disabled the integration with Xiaomi's cameras (I don't use Xiaomi smart devices or Google Nest Hub personally, so I can't verify if it's limited to cameras only or if it's the whole Xiaomi's smart ecosystem that was disabled, one article mentions it's limited to some cameras?).

 

Quote

After a user discovered that his Google Nest Hub was showing images from a stranger’s home when he tried to stream from his own Xiaomi security camera, the software giant has disabled any integration between its smart home systems and the Chinese tech manufacturer.

 

The instance was reported by Reddit user /r/Dio-V and was then picked up by Android Police. The tech news publication reached out to Google and received the following statement: “We’re aware of the issue and are in contact with Xiaomi to work on a fix. In the meantime, we’re disabling Xiaomi integrations on our devices."

 

Android Police then clarified that this does indeed mean that all Xiaomi Mi Home integration with Google Assistant has been disabled.

 

Quote

Specifically, /r/Dio-V was trying to view a live stream directly from his Xiaomi Mijia 1080p Smart IP Security Camera on the display of his Google Nest Hub but, instead, was shown a series of still images from other peoples’ homes.

 

 

Apparently since then, the issue was resolved by Xiaomi, but the integration wasn't re-enabled since they're still looking at the root issue.

Quote

Xiaomi has confirmed the issue and said that it has fixed the problem that some were experiencing. 

 

A spokesperson for Xiaomi told TechRadar, “We are aware there was an issue of receiving stills while connecting Mi Home Security Camera Basic 1080p on Google Home hub. We apologize for the inconvenience this has caused to our users.

 

"Our team has since acted immediately to solve the issue and it is now fixed. Upon investigation, we have found out the issue was caused by a cache update on December 26, 2019, which was designed to improve camera streaming quality. 

[...]

Xiaomi has confirmed that a potential 1044 users could have been affected by the issue. The company also said it would not be an issue if the camera is linked to the Xiaomi’s Mi Home app.

 

 

This type of stuff is why I personally have stayed away from most smart devices, the only ones I currently have are smart bulbs and smart plugs. I do have cameras, but those are wired and I'm using a home server that I've secured myself, accessing it is a bit of a pain, but I prefer having a non standard installation that is finicky to access rather than something that I have to access through a 3rd party. IOT are somehow badly designed when it comes to security, yet are advertised and sold based on being there for security reasons.

 

Sources ;

https://www.techradar.com/news/google-disables-xiaomi-smart-home-integration-after-major-security-breach

https://www.androidpolice.com/2020/01/02/uh-oh-xiaomi-camera-feed-showing-random-homes-on-a-google-nest-hub-including-still-images-of-sleeping-people/

Edited January 3, 2020 by wkdpaul

[Levent]

I wonder how the hell does that even happen. I mean look at it.

https://www.androidpolice.com/wp-content/uploads/2020/01/DASH_1080.mp4

[williamcll]

An unfortunate risk with cloud devices. Better to use cameras with their own dedicated server and personal DDNS. 

[elfensky]

Seems to be the whole ecosystem, as google says "it can't reach Mi Home" and I can't control my smart lights or plugs.

[williamcll]

Update: XiaoMi and Google is now testing the patch. They have made a statement, translated and condensed below:

Quote

1. On January 2, 2020, Beijing time, we learned that Mi Home Security Camera Basic 1080p, there is a small probability that when receiving Google Go screen speakers through Google Home Hub, the camera will start streaming images other google user accounts. The related service is a new test function that was launched on December 26, 2019. We have communicated with the related platform. The service was suspended at 17:00 on January 2, 2020 and related bugs were fixed.

 

2. Mi Home Security Camera Basic 1080p linked with google Home Hub function is one of the functions developed by Xiaomi for Google Smart Home System. The aforementioned bug appeared in Mi Home Security CameraBasic 1080p when it was connected to Google with screen speaker products through the Google Home Hub platform, there was a very small probability that it would appear under weak network conditions. The total number of users who have been investigated for relevant usage scenarios is 1044, of which only a few are likely to be affected.

 

3. Domestic users, and all users using Mijia App platform and Xiaomi Mijia related cameras (including Chinese and overseas users) will not be affected. At present time, the Xiaomi Security Center has communicated with Google and have fixed related bugs. After the two parties have jointly tested and improved, we will re-launch the function in due course. Xiaomi has always attached great importance to users' security and privacy, and will continue to fully protect users' rights and interests.