Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security Privacy

Xiaomi Camera Feed is Showing Random Homes on a Google Nest Hub, Including Still Images of Sleeping People (androidpolice.com) 82

An anonymous reader shares a report: So-called "smart" security cameras have had some pretty dumb security problems recently, but a recent report regarding a Xiaomi Mijia camera linked to a Google Home is especially disturbing. One Xiaomi Mijia camera owner is getting still images from other random peoples' homes when trying to stream content from his camera to a Google Nest Hub. The images include sills of people sleeping (even an infant in a cradle) inside their own homes. This issue was first reported by user /r/Dio-V on Reddit and affects his Xiaomi Mijia 1080p Smart IP Security Camera, which can be linked to a Google account for use with Google/Nest devices through Xiaomi's Mi Home app/service. It isn't clear when Dio-V's feed first began showing these still images into random homes or how long the camera was connected to his account before this started happening. He does state that both the Nest Hub and the camera were purchased new. The camera was noted as running firmware version 3.5.1_00.66.
This discussion has been archived. No new comments can be posted.

Xiaomi Camera Feed is Showing Random Homes on a Google Nest Hub, Including Still Images of Sleeping People

Comments Filter:
  • by SocietyoftheFist ( 316444 ) on Thursday January 02, 2020 @01:32PM (#59579612)

    Fucking people and their "convenience"

    • Look at the resource constraints of computers in the 70s and 80s. Then try to imagine a world where streaming video from one room to another only a dozen feet away requires streaming over the Internet to a server halfway across the country and back. Privacy concerns aside, it's just pointless.

      • by DarkOx ( 621550 )

        Its not totally pointless. There is a not unreasonable in some cases desire to use the internet to remotely control device get information about your home when you are away.

        NAT and dynamic IPs are a big part of why we can't have nice things. It was the thing end of the wedge in that it provided a technical reason for this "stuff" to be tired to some third party service, because its about the only simple way to broker connections to it.

        Next what happened is all the providers of this stuff realized that; hav

        • This is why we want IPv6 to become a thing - combined with relevant security layers, of course.
          • I wouldn't be surprised if many large ISPs continue to use dynamic IPs even when IPv6 dominates as a way of distinguishing their higher tier or "business-class" services with static IPs.

          • by tlhIngan ( 30335 )

            This is why we want IPv6 to become a thing - combined with relevant security layers, of course.

            End to end connectivity is not guaranteed even with IPv6. Firewalls are a thing, and probably going to be just as hard to configure as NAT is today.

            IPv6 won't make life simpler - it's going to make life way more complex. Or we're going to revisit the 90s again when firewalls were rare and compromises rampant.

            End to end connectivity is a myth. Everything is going to be firewalled because vulnerabilities.

        • by omnichad ( 1198475 ) on Thursday January 02, 2020 @01:59PM (#59579706) Homepage

          There is a not unreasonable in some cases desire to use the internet to remotely control device get information about your home when you are away.

          I'm specifically talking about using one of these for something like a baby monitor. Or to see who's at the door when you're still at home.

          The problem behind remote access is not carrier-grade NAT or anything like that. It's that implementing real security is too much work, and they'd rather not have to do it at the device level at all.

          • Re: (Score:1, Interesting)

            It isn't too much work. Lots of remote cameras have zero security problems (including Ring). The Ring "hack" was people reusing passwords for their accounts that were previously exposed in breaches at other services. However the cheapo Chinese cameras are all using the same firmware and have always had security problems because the people that create them don't care.

          • by ShanghaiBill ( 739463 ) on Thursday January 02, 2020 @02:11PM (#59579756)

            It's that implementing real security is too much work, and they'd rather not have to do it at the device level at all.

            There is also a negative effect on demand. A company implementing proper security will sell fewer units.

            Consider these alternatives:

            1. A baby monitor that plugs in and "just works".

            2. A baby monitor that requires five minutes of set-up and device pairing.

            Which will the typical consumer prefer? Which will get the five-star reviews?

            • Re: (Score:3, Informative)

              by dAzED1 ( 33635 )
              which is why there should be a $50,000 fine for every breach. You could say the same farking thing about nearly anything -who would pay $5 for lettuce that was picked by people treated well and who got bathroom breaks, when you can pay $1 for people who are treated as slaves and have to crap on the lettuce while they're picking it? Unbridled capitalism is horrible for everyone other than the ultra-rich. The rest of us are just sheep.
              • treated as slaves and have to crap on the lettuce while they're picking it

                Wow. Talk about straw.

                • by dAzED1 ( 33635 )
                  are you seriously not aware that the reason there were so many recalls of lettuce, is the farms where most of it is grown for the US wouldn't allow the workers to take bathroom breaks, so they were just squatting in the fields then going back to work? And that where they squatted there was crap (obviously) but that it was also on their hands at that point - I mean, what do you think they wiped with? Their hands, and lettuce. All so you can pay less.
              • I don't know man. That's five times the price. I'm pretty sure the conglomerate that owns the farms could be decent enough to rent some porta-potties like we do around here for apple harvest season. I would like to believe that damn near everyone would pay $1.25 for that lettuce over the $1 shit lettuce.
            • Painters tape over the lens is real security. As for a microphone, a small portable radio whose speaker is placed close to the device's microphone will pretty much take out the microphone's ability to monitor audio. The radio's volume can be surprisingly low too. Having the speaker as close as possible to the mic is the key. These microphones are incredibly sensitive. My private testing of them shocked me.
          • by DarkOx ( 621550 )

            I'm specifically talking about using one of these for something like a baby monitor. Or to see who's at the door when you're still at home.

            And someone might want to be able to remotely access the baby monitor to see how the sitter is handling things, or see who rang the door bell while they were away, the might want to head home if their amazon package is sitting on their door step.

            I'd be the first to agree not everything needs to be connected to the internet but there are somethings in a lot of situations where its not totally crazy to do so. I also agree that CG-NAT / home - NAT / IP exhaustion are not the problems but getting everyone to se

      • by jellomizer ( 103300 ) on Thursday January 02, 2020 @02:10PM (#59579750)

        Back in the early 2000's Microsoft and some other companies tried pushing the idea of Home Servers to the users.
        The idea never really took off. I think partially is because at this time, Microsoft has lost a lot of trust from the home user, with all the viruses and worms attacking windows, and its general reliability problems. But I think it was mostly because people didn't want to pay a couple grand for a computer that they will not use as a personal computer.

        Cloud Services for good or for bad, took this upfront cost of getting a home server and using the expansion of wi-fi and broadband internet had created a case where IoT was more appealing to the home user.

        Being everything is a service, there is little attention needed for the hard stuff like making sure your device talks the same protocol as your competitors.

        Yes we have the technical ability to have most of our IoT features to not be IoT as a low end PC can handle most of the requests for a normal home. But people will buy smart devices, but not a home server.

        • Yes we have the technical ability to have most of our IoT features to not be IoT as a low end PC can handle most of the requests for a normal home. But people will buy smart devices, but not a home server.

          The smart device already has an embedded OS. It can BE the server.

        • by AmiMoJo ( 196126 )

          Home servers failed because they were too complex. Consumers like the cloud because it's very simple for them.

          They don't understand security either.

      • Look at the resource constraints of computers in the 70s and 80s. Then try to imagine a world where streaming video from one room to another only a dozen feet away requires streaming over the Internet to a server halfway across the country and back. Privacy concerns aside, it's just pointless.

        Well, assuming you never want to get your stream from far away it's pointless. But if you do want to have that ability, then streaming over the Internet is a requirement. And most people do want that. So then the engineering question becomes whether you build two different access mechanisms, one for local use and one for remote, or whether you just build the remote one and use it for local access as well. That's clearly much simpler, and complexity is the enemy of both reliability and security.

        Also, m

    • Re: (Score:3, Insightful)

      by rldp ( 6381096 )

      Stop using chinese equipment. What did you expect? That a culture that doesn't believe in privacy was going to respect your privacy?

      I set up a web cam set up to keep an eye on my pets from work, it's perfectly secure. A one-liner in (command line) VLC.

      No reason your all-in-one internet web cam couldn't use that same one line, unless they willingly choose not to.

      • by Anonymous Coward
        Oh oh. AmiMoJo/CoffeeBacon will be coming after you. He has to do he work.
    • Re: (Score:1, Interesting)

      What does it have to do with convenience? How are you supposed to monitor a camera stream when are you away from home? Magic? It has to go over the Internet.

  • It's a FEATURE!

  • by account_deleted ( 4530225 ) on Thursday January 02, 2020 @01:39PM (#59579644)
    Comment removed based on user account deletion
    • by BeerFartMoron ( 624900 ) on Thursday January 02, 2020 @02:01PM (#59579714)
      There was of course no way of knowing whether you were being watched at any given moment. How often, or on what system, the Google Nest Hub plugged in on any individual wire was guesswork. It was even conceivable that they watched everybody all the time. But at any rate they could plug in your wire whenever they wanted to. You had to live -- did live, from habit that became instinct -- in the assumption that every sound you made was overheard, and, even in darkness, every movement scrutinized.
      • by pz ( 113803 ) on Thursday January 02, 2020 @11:22PM (#59581280) Journal

        There was of course no way of knowing whether you were being watched at any given moment. How often, or on what system, the Google Nest Hub plugged in on any individual wire was guesswork. It was even conceivable that they watched everybody all the time. But at any rate they could plug in your wire whenever they wanted to. You had to live -- did live, from habit that became instinct -- in the assumption that every sound you made was overheard, and, even in darkness, every movement scrutinized.

        And for those that missed the reference, this passage is an adaptation from Orwell's 1984; an adaptation with only a very minor change.

  • by Anonymous Coward on Thursday January 02, 2020 @01:42PM (#59579654)
    You did this to yourselves. You insisted that the illusion of security was worth giving up your privacy, which so-called 'social media' has so thoroughly brainwashed and indoctrinated you to believe was worthless. Now you've got Chinese companies literally poking their noses into your bedrooms, and who-knows-who-else is spying on you now, too, using equipment you bought and paid for yourselves. Then you take your mobile wireless surveillance platform with you everywhere you go, too, and have your eyes glued to it every spare moment, so the front-facing camera can watch your face so the watchers can gauge your emotional state, as well as verify it's you, listen to everything going on around you, and know within a few feet where you are on Earth. Your so-called 'smart TV' is logging and transmitting back everything you watch, even if it's local media files. Your so-called 'smart speaker' you have in every room is listening to everything going on in your house, 24/7. Your utility usage is being monitored in realtime and they can tell exactly what appliances you're using, when, and for how long -- assuming that is you forgot to buy 'smart appliaces' as well so they directly transmit back eveything you're using them for. Your refrigerator is monitoring and transmitting what food you have, what you eat, when you eat it, how often you buy it, and so on. Your wirelessly connected car with GPS is tracking all your movements, how fast you're driving, your driving habits, and so on. Congratulations, you're a fucking LAB RAT running in a maze. You're like a convict in prison, watched 24/7/365. And the biggest joke of all: you have NO REAL SECURITY, you only have the ILLUSION of security, and for that ILLUSION you gave up every shred of privacy, every shread of dignity you ever had, and YOU ARE NOT LIKELY TO EVER GET IT BACK. They're watching you masturbate. They're watching you fuck your wife. They're watching you take a dump. Your entire life is being judged, every single second of it, and you did this to yourselves!

    Now go tell Alexa to play you a sad song, so you can sink back into denial and ""'feel""" better about your destroyed life.
    • Is that you Morpheus?
  • why the hell is that not deadly??

    Seriously, who the hell puts a damn camera into his damn bedroom?

    And what can we do, to help you, nature, and cure this fear and anxiety epidemic?

    Sincerery,

    a brain user.

    • Seriously, who the hell puts a damn camera into his damn bedroom?

      Perhaps someone with a suspicious spouse.

    • by btroy ( 4122663 )
      We call them laptops, phones, and tablets.

      Cameras, Microphones, oh my!

      At least half of Android devices are off security support.

      Who ever imagined IoT devices, all typically built off of Android, would be any better.
    • Security. But I would expect a physical off switch and a fully mechanical shutter when I'm sleeping in there.
    • by nwf ( 25607 )

      Seriously, who the hell puts a damn camera into his damn bedroom?

      Paris Hilton. There are others. All dumb.

    • by PPH ( 736903 )

      Seriously, who the hell puts a damn camera into his damn bedroom?

      Cam whores [thefreedictionary.com]

      Although I suspect that since this involves an income stream, their security is locked down pretty well.

    • by gtall ( 79522 )

      Errrm....I'm guessing you don't have elderly parents for whom to care.

  • I know technical solutions are possible and exist, however lack of consumer demand for secure products makes it unlikely that IoT will ever be secured. We spend the last couple years trying to educate consumers with no observable effect.

    Time to try something different. I suggest we need to spend more resources on setting up honeypots feeding fake video loop and poisoning the indexing data so it is harder to find actual live cameras. Very few peeping toms will have resources or knowledge to produce their o
    • Or we could, maybe, regulate the industry. Maybe, just maybe, an industry foundation [iotsecurit...dation.org] along with government [forbes.com] regulation [ieee.org] could change things for the better.
    • Time to try something different. I suggest we need to spend more resources on setting up honeypots feeding fake video loop and poisoning the indexing data so it is harder to find actual live cameras.

      Yeah, no. How about we edumacate some local news teams on how to find these insecure cameras, then set them loose making stories on how insecure they are. They get some high-clickrate stories, some idiots who deserve it get shamed, and hopefully either people quit buying these insecure pieces of crap; or the makers start thinking of security.

      Keep in mind, there are hundreds of ways to be insecure. You wanna setup a honeypot for each one? IMHO, much better to shame idiots in the most high profile way

  • One Xiaomi Mijia camera owner is getting still images from other random peoples' homes when trying to stream content from his camera to a Google Nest Hub. The images include sills of people sleeping (even an infant in a cradle) inside their own homes.

    This is not actually a security issue, but a paranormal issue. If people die in a particularly horrific way, images of them just before their death can linger on the internet, looking for a compatible host. Just sprinkle a little holy water on your router and

  • of software quality

  • I would use IoT if the system streams directly to my phone, and there is no connection to Teh Cloud whatsoever. The only 3rd party service used would be an e-mail provider of my choice to send my phone's dynamic IP to the home system so a direct connection can be established. But beyond that everything would be heavily encrypted and passworded so even an e-mail spoofer could not gain access to the system.
  • by dAzED1 ( 33635 ) on Thursday January 02, 2020 @03:07PM (#59580002) Journal
    I wanted a harmony so I could control all my entertainment stuff without much effort. Got one, and it really really wanted to be online doing whatever idiocy. I blocked it at my router, and moved on - it worked fine, everything was fine. Then one day I replaced my router and forgot to block the harmony - which autoupdated itself to a version which cannot function at all unless it is online, and the device won't support restoring a previous version of the firmware. Now I cannot for the life of me find a universal remote that doesn't want to be controlled via the outside internet, even though I'm sitting in my TV room wanting to control my "TV" and nothing else. There is ZERO justification for any of these device to leave the local network with their communication. If you want to enable some reporting function you check online if the user agrees, then great, but to be completely unfunctional without doing all communication out to the internet, then back? Absolutely stupid.
  • This has to a thing, right? With a million random cameras leaking all over the internet, tell me that dozens of them aren't in the rooms of teenage girls. Or maybe your thing is watching random people sleeping. When I was an undergrad, there was someone in the dorm arrested for exactly this - he would go into people's rooms and watch them sleep.
  • by FeelGood314 ( 2516288 ) on Thursday January 02, 2020 @03:27PM (#59580060)
    Privacy comes in second last in considerations in the protocols. Convenience of use is number one and easy of implementation two. Authentication is what comes in last. Authenticating that device A is really supposed to be talking to device B, sending it information and responding to commands from B is last. The information might be encrypted but it could easily be going to the wrong place. Telling an IoT device who it is supposed to talk to, even which network it is supposed to join, is hard to get right. It is made even harder since most people want to use WiFi whose authentication is backwards for any small IoT devices that have no interface. So expect this problem to get a lot worse as the density of IoT devices increases and more and more devices incorrectly start talking to the wrong things.

    I try and explain privacy and authentication this way. You want your bank balance to be private, that is no one else knows your balance. However, even more important, you want your bank account to authenticate you, only you can withdraw money from your account. So many people think of security as only privacy when authentication is actually more important.
    • Authenticating that device A is really supposed to be talking to device B, sending it information and responding to commands from B is last.

      I'm not a network security guy, but I've always understood the distinction between authentication and authorization as: Authentication is verifying who you are; Authorization is verifying what you can do. Was this only a local convention I learned and assumed it was an industry standard?

      • I tend to combine the two. For IoT devices I don't really care that device is MAC 001BC500B00030F8, I care what it is allowed to do. For a human there is often something else associated with you {mailing address, language preference, credit score...}. For a light switch I really don't care much other than which lights it is allowed to turn on and off and the fact that it shouldn't be opening the front door. (or in the case of an aquarium thermostat not accessing financial records https://www.washingtonp [washingtonpost.com]
  • That’s why Apple’s approach is the right one - encrypt locally before uploading and keep the key in the user’s account.

    That is: if you want a camera as a cloud service at all.

    I don’t see the point in having one in my home and if so I would set up something, locally, myself. But I see how this requires too much know how for many users.

    • by FeelGood314 ( 2516288 ) on Thursday January 02, 2020 @04:11PM (#59580230)
      It probably is encrypted locally. Just it is being encrypted with the wrong key and being associated with the wrong account. The camera has no interface, it has to be told what key to use and what account to send the stream to. This is non-trivial problem especially if you users don't want to have to have some sort of secret on the camera that a user enters into their account. As a developer you just have to guess that device A was joined to network B and it may have talked to app C on phone D and it joined the network while user E was adding devices. So you make a guess based on this information. If you are right 98% that's good enough. (I'm allowed a 2% failure rate. I know others companies accept higher). Unfortunately that 98% is based on a number of assumptions that include the number of IoT networks. As the number of networks increase the chance of a miss pairing increases.
      • Iâm thinking of this from a developers position because I am a developer.
        The video of the camera in the OP is not encrypted locally (within the LAN) in any meaningful. If it was, the remote viewer could not view it without the proper key - and they would not have access to that key.
        IIRC Apple Homekit Secure Video ( https://support.apple.com/en-u... [apple.com] ) seems to analyze the video on Apple-Devices (iPad, AppleTV, ...) for recognition purposes, and then encypt it with keys valid in the users homekit context

  • Behold the amazing benefits of cloud computing.. your video on my computer.

    Imagine what the NSA, CIA, Russian, and Chinese can see. :)

    Looks like it is time to go back to home servers and NAS servers.

  • No one is holding a gun to your head and making you put these things in your home. You want to one-up your friends, you want to get on the bleeding edge of tech then it comes with strings.

    No, these companies shouldn't be "spying" on you but they invested a shed-load of cash on designing these devices and the lab and beta tests can only go so far..so they will bend the rules just a little to make sure the devices are working properly and working as they expect and what's the harm in grabbing a little free in

There are never any bugs you haven't found yet.

Working...