The problem occurs when a Google Nest Hub tries to access an integrated Xiaomi Mi Home Security Camera. Under poor network conditions, the Nest Hub will display still images from other people’s cameras. But Xiaomi says the problem is ‘extremely rare.’
Home security cameras from Chinese vendor Xiaomi suffer from an alarming bug that can let them pull still images from other customers’ cameras with a Google Nest Hub smart display device.
The vulnerability prompted Google and Xiaomi to temporarily pull the plug on the security camera integration between the cameras and the smart displays until the root cause is fixed.
The problem came to light on Thursday when a Reddit user posted video and screenshots of what happens when his Google Nest Hub accesses a Xiaomi Mi Home Security camera he registered with the device. The Nest Hub will show black-and-white still images seemingly taken from other Xiaomi home security cameras connected to the internet.
When I load the Xiaomi camera in my Google home hub I get stills from other people’s homes!! from r/googlehome
(The Nest Hub was previously known as the Google Home Hub.)
Although the images are grainy and partially scrambled, they still reveal what appears to be the interior of people’s homes. One image even showed a baby lying in a crib. The problem caused Google to quickly shut down the integration with Xiaomi cameras, as first reported by Android Police. “We’re aware of the issue and are in contact with Xiaomi to work on a fix,” a Google spokesperson said.
Xiaomi is blaming the problem on a Dec. 26 “cache update” it rolled out to improve camera streaming quality. The company went on to say the bug occurs in “extremely rare conditions” when a Google Nest Hub is operating under poor network conditions.
Neither company has elaborated on the problem. But Xiaomi’s statement suggests the company’s security cameras will take a snapshot and store the image in the device’s cache when the internet is slow. But for some reason, those same images leaking on Google’s cloud network.
“We have also found 1,044 users were with such integrations and only a few with extremely poor network conditions might be affected. This issue will not happen if the camera is linked to the Xiaomi’s Mi Home app,” the Chinese vendor added.
The spying bug was found as concerns about home security cameras have been grabbing headlines. Last month, hackers broke into internet-connected cameras from Ring by guessing customers’ weak passwords. This allowed the hackers to spy on and harass customers by using the cameras’ alarm and voice functions.
In response, Ring has been advising device owners use strong passwords and consider activating two-factor authentication. Nevertheless, the problems underscore the risks posed by internet-connected security cameras. If you buy a camera, be aware of what you’re getting into, and think twice about where you place it.