Google has temporarily removed Chinese company Xiaomi’s integration with its Google Home and Nest products after a user began reporting a security issue in which other users’ feeds were showing up on their display. The issue reportedly impacts a user who owns the Xiaomi Mijia 1080p Smart IP security camera, a model that supported Google’s products until today.
The potential security issue appeared from user ‘Dio-V’ on the subreddit /r/GoogleHome on January 1. In an initial video shared by the user, we see a smart display used to view the Xiaomi camera feed, which results in a random still image loading. Dio-V claims this image — and others like it — aren’t coming from their own camera, but rather from models belonging to other camera users.
The same user shared more than half a dozen additional images from the same camera feed, all of them showing similar partially pixelated still images seemingly plucked from other random camera feeds. In another comment, the user says their camera is running firmware version 3.5.1_0066 and was purchased directly from AliExpress.
Of note, this bug doesn’t seem to extend all the way to playing live videos of other users’ feeds, but rather appears to start to load a feed that ends up frozen and partially corrupted essentially as a still image. It’s unclear what exactly is happening at this point in time, but given the fact that so many of these cameras are located indoors, it’s a major privacy issue.
In a statement to Android Police, Google acknowledged that it is aware of the report and that it has gotten in contact with Xiaomi about fixing the issue. Until that fix arrives, however, it has terminated the company’s integrations on its devices, meaning Xiaomi camera owners can no longer pull up their camera feeds on a Google smart display.
As well, the lack of integration means that Mi Home products can no longer be controlled using Google Assistant commands. Xiaomi has not commented on the matter at this time and it’s hard to anticipate how long the lack of integration may persist.
Update (1/10/2020): Xiaomi has given SlashGear the following statement on the issue:
“Xiaomi has always prioritized our users’ privacy and information security. We are aware there was an issue of receiving stills while connecting Mi Home Security Camera Basic 1080p on Google Home hub. We apologize for the inconvenience this has caused to our users.
Our team has since acted immediately to solve the issue and it is now fixed. Upon investigation, we have found out the issue was caused by a cache update on December 26, 2019, which was designed to improve camera streaming quality. This has only happened in extremely rare conditions. In this case, it happened during the integration between Mi Home Security Camera Basic 1080p and the Google Home Hub with a display screen under poor network conditions.
We have also found 1044 users were with such integrations and only a few with extremely poor network conditions might be affected. This issue will not happen if the camera is linked to the Xiaomi’s Mi Home app.
Xiaomi has communicated and fixed this issue with Google, and has also suspended this service until the root cause has been completely solved, to ensure that such issues will not happen again.”
Update (1/16/2020): Xiaomi offered further assurances that the issue has been fully resolved in a statement today. They’ve also given a bit of an apology, as follows:
“We now confirm that we have fully resolved the root cause of this issue, and Xiaomi’s Google integration service has resumed from 16, January. Users can now use Xiaomi’s Mi security camera services via Nest devices. At Xiaomi, we take user privacy and information security as top priority. We sincerely apologize for any inconvenience caused for affected users. We will take even stronger measures to prevent such incidents in the future.”