Google Blocks Xiaomi From Its Platform Due to a Security Incident
People do tend to overreact to cybersecurity news every now and again, especially when the incident revolves around one of an increasing number of IoT devices that are becoming an integral part of our everyday lives. Sometimes, security researchers find vulnerabilities in those gadgets, which often create apocalyptic headlines and predictions of impending doom. In some cases, however, the media attention is completely unwarranted because the vulnerability is difficult to exploit, and an attack in the wild is impractical.
Recently, people have been talking about a bug in one of Xiaomi's cheap surveillance cameras. It has attracted quite a few reports, both from specialized and mainstream news outlets. We'll now try to find out if the whole brouhaha is justifiable.
A video feed mix-up can have severe privacy consequences
The first thing we should probably mention is that the bug was not discovered by a security researcher. It was disclosed last week by a Reddit user going by the nickname Dio-V who had bought a cheap IP surveillance camera from the internet. The camera in question was the Xiaomi Mijia 1080p – a seemingly perfect solution for anyone trying to get video surveillance on a budget. In addition to the attractive price of about $20, the Mijia 1080p also offers integration with Google Home and Amazon's Alexa.
A Google Home owner, Dio-V, was eager to hook up the new Xiaomi camera to his network and see how it works. He connected it to his Nest device and tried to access the video feed. Instead of seeing a familiar room, however, he saw a still photo of someone else's home. Puzzled, he refreshed the feed, and he was greeted with another still image, this time of a different person's house.
The timestamps on the images suggested that the cameras Dio-V was looking at were located in different parts of the world. They were all Xiaomi Mijia 1080p cameras, though, which gave Dio-V a pretty good idea of where the bug lies.
He shared his findings on Reddit, and the thread went viral pretty quickly. This shouldn't really be a surprise.
Google suspends Xiaomi's Home product integrations because of the bug
The bug discovered by Dio-V was extremely serious. Some of the leaked images were corrupted, but despite this, the vulnerability meant that photos of unsuspecting people were being leaked while they were in the privacy of their own homes. What's more, while the exploitation of other IoT security holes often requires some form of "hacking," guessing passwords, or scanning the internet for misconfigured networks, in the case of Xiaomi's cheap IP camera, the bug manifests itself the moment the user takes the device out of the box. Because of this, Google waited for no second invitation, and it immediately suspended all Xiaomi Mi Home integrations with Google Home, despite the fact that the Chinese electronics giant hadn't confirmed the existence of the problem at the time.
Later, Xiaomi admitted that the bug was real. It was caused by a cache update implemented on December 26 that was designed to improve the camera's streaming quality. According to a statement quoted by Android Police, the vulnerability had a limited impact. Xiaomi apparently found out that only 1,044 cameras were affected, and of them, only those who had a poor network connection might have ended up showing images of other people's houses. The vendor apologized for the issue and assured users that it has now been resolved. Whether Google has restored Xiaomi Mi Home's integrations, however, remains unknown for now.
In this particular case, we can safely say that the attention this incident attracted is entirely justifiable. Worse still, it serves as proof that the more connected the world becomes, the more bugs like this we'll witness. Xiaomi is not the first big vendor to find out that its products can compromise people's privacy, and you can be pretty sure that it won't be the last. This is something you should probably think about before you connect the next novelty gadget to your home Wi-Fi network.