Skip to content
Naked Security Naked Security

Google suspends Xiaomi from Home Hub over camera privacy glitch

A user reported to Google that he was seeing images from other people's devices.

Google has temporarily disconnected Xiaomi’s IP cameras from its Home Hub service after a user reported that he was seeing images from other people’s devices.
Google’s Home Hub is the company’s answer to Amazon’s Echo – a connected home automation display controlled via the GUI and a voice assistant. You can use it to control your thermostat and lighting, ask Google Assistant questions, and to see images from the connected IP cameras around your house. Unfortunately, Xiaomi’s cameras began displaying images from other peoples’ houses too.
Reddit user u/Dio-V found that Xiaomi’s Mijia 1080p IP camera was sending still images from other peoples’ homes when he accessed it via his Google Home Hub.
The camera, which Dio-V said was purchased new and had up-to-date firmware, sent multiple images from other peoples’ Xiaomi cameras when connected to the Google device. To prove his point, he posted images on Reddit including a sleeping baby, a person resting in a chair, and someone else seated at a table. Whoops.

Both Google and Xiaomi moved quickly to address the issue. The Chinese manufacturer admitted the mistake and explained that it was down to a caching issue on its server. In a statement sent to several outlets it said:

Our team has since acted immediately to solve the issue and it is now fixed. Upon investigation, we have found out the issue was caused by a cache update on December 26, 2019, which was designed to improve camera streaming quality. This has only happened in extremely rare conditions. In this case, it happened during the integration between Mi Home Security Camera Basic 1080p and the Google Home Hub with a display screen under poor network conditions.
We have also found 1044 users were with such integrations and only a few with extremely poor network conditions might be affected. This issue will not happen if the camera is linked to the Xiaomi’s Mi Home app.

A Google representative responded to Dio-V’s complaint directly in the Reddit thread the day after it surfaced, asking for clarification via direct message. The following day, Rachel (Google employee and community manager for Google Home Products) explained:

Late night on January 1st, we were made aware of an issue where a Reddit user posted that their Nest Hub was able to access other people’s Xiaomi camera feeds. We’ve been working with Xiaomi and we’re comfortable that the issue was limited to their camera technology platform. While we worked on this issue with Xiaomi, we made the decision to disable all Xiaomi integrations on our devices. We understand this had a significant impact on users of Xiaomi devices but the security and privacy of our users is our priority and we felt this was the appropriate action.
We’re re-enabling Xiaomi device integrations for everything but camera streaming after necessary testing has been completed. We will not reinstate camera functionality for Xiaomi devices until we are confident that the issue has been fully resolved. We’ll keep you updated with information as more becomes available to share.

Several Redditors were understandably concerned about the issue, however temporary it might have been, with some calling it “creepy”.
While both companies dealt with the problem as quickly and efficiently as they could, it highlights an ongoing issue with cloud-based IoT services, which are vulnerable to mistakes and technical glitches. We’ve seen cameras that send images to the wrong people before, and others with security bugs that make them potentially accessible via the Shodan search engine.
What can you do to protect yourself from vendor mistakes?
One drastic solution is to avoid relying on the cloud at all and set up your own system self-hosted home automation solution that you can configure not to send your data to third parties. The Self Hosted podcast has more information on that. It would mean running your own server (which could be a Raspberry Pi) and setting up a decent VPN for remote access.
It’s certainly not simple but it would make a fun personal project for the technically minded.

1 Comment

Setting up home server for self-hosting, of course, is the best in term of privacy and security (if properly setup). But this totally defected the idea of cloud accessible and IoT concept. They’re “consumer” products; not IT professional products. If asking for solution, not really though. It all depends on the manufacturers self- regulating. Just like we all depended on Microsoft/Apple on our own computer. Or our own smartphone depends on vendors and Google/Apple too.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!