Xiaomi Mijia Camera Picking Up Strangers' Camera Feeds

January 6, 2020

A Xiaomi Mijia camera user discovered a security breach after he was able to see still images from other random peoples' homes when trying to stream content from his camera to a Google Nest Hub.

On the Reddit threat, the user uploaded a video, which depicted the issue. He also provided screenshots of his camera feed, including stills of people sleeping and an infant in a cradle. After news broke, Google entirely disabled Xiaomi integration for Google Home and the Assistant while it worked out the issue with Xiaomi. A Google spokesperson provided a news report with the following statement: "We’re aware of the issue and are in contact with Xiaomi to work on a fix. In the meantime, we’re disabling Xiaomi integrations on our devices."

Xiaomi also reached out to the news report, and noted that they had fixed the issue. "Upon investigation, we have found out the issue was caused by a cache update on December 26, 2019, which was designed to improve camera streaming quality. This has only happened in extremely rare conditions. In this case, it happened during the integration between Mi Home Security Camera Basic 1080p and the Google Home Hub with a display screen under poor network conditions. We have also found 1044 users were with such integrations and only a few with extremely poor network conditions might be affected. This issue will not happen if the camera is linked to the Xiaomi’s Mi Home app. Xiaomi has communicated and fixed this issue with Google, and has also suspended this service until the root cause has been completely solved, to ensure that such issues will not happen again."

James McQuiggan, security awareness advocate, says, "Google took an appropriate step in their incident response process to remove the risk of someone else experiencing the same "cache update" issue with these types of webcams. This is important why software developers working with third party systems invest heavily in the security of not only the device, but also the data access controls as well. While this issue is extremely bad, consumers should continue to be vigilant regarding the data and their systems and to alert the developers when they have security concerns."

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.