Xiaomi IoT Cameras Leak Private Stills via Google Home Hub
Worried Xiaomi Mijia IP camera users are finding other people’s images displayed on their Google Home Hubs. The problem seems to be linked to a botched software update.
Google has disabled the integration with the Chinese camera service. Both companies say they’re investigating the problem.
The immediate privacy issue is obvious. But, in today’s SB Blogwatch, we worry what it says about our broader attitude to IoT privacy and security.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Mr. BS by PMJ.
Show Me, Xiaomi
What’s the craic? Aunty’s anonymous Beeb-gnomes report—“Google bars Chinese firm access over security bug”:
A user in the Netherlands alleged that his Google Home Hub began displaying photos from unidentified locations on its smart screen when he accessed his camera, made by Xiaomi. … The images included a man sleeping on a porch, what appeared to be a shop security camera, a stranger’s kitchen, and a child resting in a cot.
…
A Google spokesperson said it was working with Xiaomi on a fix and said it had suspended any integration with the Chinese firm’s devices until further notice. A spokesperson for Xiaomi [said it] “suspended this service until the root cause has been completely solved, to ensure that such issues will not happen again.”
And Thomas Maxwell utters, “Yikes”:
That’s not ideal. … It’s unclear what exactly caused this issue to occur.
…
The snafu is just the latest in a series of security problems that have plagued internet-connected smart home gadgets. Amazon has been hit with lawsuits following reports that bad actors were gaining unauthorized access to its Ring connected cameras. … Another security camera company, Wyze, recently admitted that personal data on 2.4 million of its customers was exposed when the company set up a new server improperly.
Did somebody mention Wyze? TheScientists wakes up to inform the world:
Wyze cams are re-badged Xiaomi cams, so let’s hope they don’t double-down on their recent **** up.
What’s the solution? rldp suggestifies thuswise:
Stop using Chinese equipment. What did you expect? That a culture that doesn’t believe in privacy was going to respect your privacy?
Any clue what went wrong? Nick Felker’s idea sounds plausible:
Technically when you would ask to see your camera, an authenticated request is made with the access token on Google’s side to the partner server. It’s possible that the Oauth implementation Xiaomi has is buggy or has low entropy.
Or is it a societal problem? Oligonicella swearily scoffs at your indolence:
Amazingly, I and my daughter have together raised two generations without the “need” to watch them sleep. But if you want to check? Walk up the ****ing stairs. What lazy ****s people are becoming.
Or are you pondering what vesinisa’s pondering?
Probably a race condition. I once worked at a bank where the core banking system had a bug where if you asked account data for user X it would about once in a thousand queries return data for some unrelated user Y if the system was under a high load.
…
This massive, embarrassing bug was not really documented anywhere, i.e. “silent information.” You just “had to know” when writing code against this API that once in a blue moon, it could return data for the wrong user.
Meanwhile, nimbius is understanding:
I can understand how this is a huge issue.
…
I personally haven’t experienced this data breach. Unfortunately my neighbor has, and he’s been extremely upset about it. The man was pacing his bedroom all morning and, as of yet, hasn’t touched his breakfast—despite the fact his wife clearly made pancakes this morning. Truly this must be a very stressful time for him, but unfortunately I will never know for certain unless he moves into CAM_003 near the liquor cabinet.
And Finally:
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hate mail may be directed to @RiCHi or sbbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.
Image source: Dio-V and thisiszuul
