Update: Xiaomi told MediaNama that “a very small number of users in India were potentially affected by the issue,” where Xiaomi smart security camera users accessing the feed via Google’s Nest Hub could see strangers’ images. It told us that the company was “aware [that] there was an issue of receiving stills while connecting Mi Home Security Camera Basic 1080p on Google Nest Hub”. The company did not reveal the exact number of Indian users that might have been affected due to this flaw, and clarified that it hasn’t received any reports from Indian users thus far.
Xiaomi claimed to have solved the issue, and further stated that “the issue was caused by a cache update on December 26, 2019, which was designed to improve camera streaming quality,” and blamed “poor network conditions” for causing the issue. It further said:
“We have also found 1044 users were with such integrations and only a few with extremely poor network conditions might be affected. This issue will not happen if the camera is linked to the Xiaomi’s Mi Home app.” — Xiaomi
Yet again, the company hasn’t clarified the number of people that might have been affected from the vulnerability. Interestingly, Xiaomi also said that it “has communicated and fixed this issue with Google, and has also suspended this service until the root cause has been completely solved”. This suggests that Xiaomi is only banking on “poor network conditions” to justify the flaw, and is still uncertain about the “root cause”.
Earlier: A user of Xiaomi’s Mijia, a smart home security camera, said on Reddit that their Google Nest Hub smart display started showing images from strangers’ cameras, including a sleeping baby in a crib. This was first reported by Android Police. At this moment it is unclear what exactly caused this problem. A Google spokesperson confirmed to MediaNama that the company has disabled Xiaomi’s integration on its devices as a result of this problem, and issued the following statement:
“We’re aware of the issue and are in contact with Xiaomi to work on a fix. In the meantime, we’re disabling Xiaomi integrations on our devices.” — Google
Google did not give reasons behind the issue, and did not clarify if this is an isolated instance. We have reached out to Xiaomi for more information.
How do Xiaomi’s camera and Google’s Nest Hub work? The Google Nest Hub is essentially a smart home display which can be connected to security cameras, like Xiaomi’s Mijia. Users can then play feeds captured from the security cameras on the Nest Hub display, except in this case, the user started seeing images from someone else’s camera! The user was running the current firmware of the Xiaomi Mijia camera (3.5.1_0066).
Could users in India have been affected? Xiaomi launched a security camera in India in 2018, and Google’s Nest Hub smart display was launched here in 2019. At this moment, it isn’t clear if Indian users of these devices have also been affected by this vulnerability. Google did not clarify this, and we are awaiting a response from Xiaomi.
A word of caution: The Android Police report does caution that this could be an “elaborate hoax”, however, clarifies that since the issue appears intermittently, and shows still images rather than video footage, it could potentially be a “pretty high-effect for a fake”. It is worth mentioning that the thread on Reddit, where the user had talked about the problem, has been locked by moderators of Google Home.
How secure are security cameras? This isn’t the first time “smart” security cameras have displayed vulnerabilities.
- In December 2019, a vulnerability in Wyze’s smart home cameras and devices compromised the data of about 2.4 million customers, including information like usernames, email addresses, camera nicknames, device models, firmware information, Wi-Fi SSID details, API tokens for iOS and Android, The Verge had reported.
- The same month, a user of Amazon’s Ring security camera in USA’s Mississippi said that a stranger gained control over the camera and could see and talk to his 8 year old daughter via the camera.