Google kills Xiaomi-Nest integration after user gets images from strangers

Weird bug feeds images from strangers' homes to Google's Nest Hub.

Crooks can hack your IoT cameras and show fake footage Researchers detail the risk posed by insecure IoT devices, demonstrating how hackers could hide evidence of a physical break-in from operators of internet-connected cameras.

We know creeps have hacked smart baby monitors to spy on families, but a bug affecting Xiaomi smart cameras linked to Google accounts creates the reverse problem: one user received unwanted images from strangers' homes when streaming content from his own camera to a Google Nest Hub.   

The bug was publicized on Reddit by a Google Nest Hub user, 'Dio', who had clicked the camera tab on the app and expected to see video from his connected Xiaomi smart camera. 

But rather than getting a view of his own house, he got still images from strangers' cameras, including images of someone's living room, a sleeping baby, a child with toys and a man sleeping in a chair. He shared the images on Reddit, which clearly show a baby sleeping in a cot.

SEE: Sensor'd enterprise: IoT, ML, and big data (ZDNet special report) | Download the report as a PDF (TechRepublic)

Dio's camera was a new Xiaomi Mijia Smart IP Security Camera. The device can be associated with a Google account, allowing the user to connect it with Google Nest devices. He purchased the Xiaomi camera from AliExpress this June.  

It's not clear what caused the Nest Hub to receive images from other households. However, following his report Google disabled Xiaomi integrations with its devices. 

"We're aware of the issue and are in contact with Xiaomi to work on a fix. In the meantime, we're disabling Xiaomi integrations on our devices," Google said in a statement to ZDNet sister site CNET

Google said it had not received reports from other users experiencing the same problem.  

As per Android Police, Google's Xiaomi access restrictions have disabled all Mi Home integrations for Google Assistant. 

Dio told CNET his camera and the Nest Hub were running the latest firmware when he started seeing other users' photos. 

"I'm just glad I didn't have one pointed at our bed or shower," he said. 

UPDATE January 17: Xiaomi says it has now resolved the cause of the issue but didn't disclose any details about the nature of the problem. It resumed its Google integration service from January 16. 

"Users can now use Xiaomi's Mi security camera services via Nest devices," said Xiaomi. "We sincerely apologize for any inconvenience caused for affected users. We will take even stronger measures to prevent such incidents in the future."

nest-hub1.jpg

Google Nest Hub user Dio said he got still images from strangers' cameras.  

Image: Dio-V/Reddit