We reported yesterday that Google Nest Hub has been showing a Xiaomi Mijia smart camera user photos from random Mijia users on his Google Nest Hub including photos which appears to look into a child’s nursery, a porch and a lounge.
The company has now confirmed the issue and released a statement to XDA-Dev explaining what happened:
Xiaomi has always prioritized our users’ privacy and information security. We are aware there was an issue of receiving stills while connecting Mi Home Security Camera Basic 1080p on Google Home hub. We apologize for the inconvenience this has caused to our users.
Our team has since acted immediately to solve the issue and it is now fixed. Upon investigation, we have found out the issue was caused by a cache update on December 26, 2019, which was designed to improve camera streaming quality. This has only happened in extremely rare conditions. In this case, it happened during the integration between Mi Home Security Camera Basic 1080p and the Google Home Hub with a display screen under poor network conditions.
We have also found 1044 users were with such integrations and only a few with extremely poor network conditions might be affected. This issue will not happen if the camera is linked to the Xiaomi’s Mi Home app.
Xiaomi has communicated and fixed this issue with Google, and has also suspended this service until the root cause has been completely solved, to ensure that such issues will not happen again.
Google had earlier responded to the issue by disabling Xiaomi’s integration with the Nest Hub, saying:
“We’re aware of the issue and are in contact with Xiaomi to work on a fix. In the meantime, we’re disabling Xiaomi integrations on our devices.”
This also reportedly stopped the exfiltration of the images.
As we noted earlier, while incidents such as these are rare, they are not that uncommon, due to issues with password re-use and also vulnerabilities in the software running on these smart cameras, suggesting it may never be a good idea to allow a smart camera into an area you are not happy to expose to the public eventually.