Google Disables All Xiaomi Device Integrations Pending Security Review (google.com) 17
New submitter jasonbuechler writes: Related to the Xiaomi post the other day, Google has entirely disabled Google Assistant/Home integration with Xiaomi devices pending further testing. Google issued the following statement:
Hi everyone,
Late night on January 1st, we were made aware of an issue where a Reddit user posted that their Nest Hub was able to access other people's Xiaomi camera feeds. We've been working with Xiaomi and we're comfortable that the issue was limited to their camera technology platform. While we worked on this issue with Xiaomi, we made the decision to disable all Xiaomi integrations on our devices. We understand this had a significant impact on users of Xiaomi devices but the security and privacy of our users is our priority and we felt this was the appropriate action.
We're re-enabling Xiaomi device integrations for everything but camera streaming after necessary testing has been completed. We will not reinstate camera functionality for Xiaomi devices until we are confident that the issue has been fully resolved. We'll keep you updated with information as more becomes available to share. UPDATE: Speaking to Engadget, Xiaomi says that the issue occurred due to a cache update, which made the stills pop up if a user had that camera and that display under poor network conditions. According to the company, only 1,044 users had this setup with a "few" experiencing the poor network connection that would make it appear, and they have fixed the issue on their end. The full statement is available on Engadget's report.
Hi everyone,
Late night on January 1st, we were made aware of an issue where a Reddit user posted that their Nest Hub was able to access other people's Xiaomi camera feeds. We've been working with Xiaomi and we're comfortable that the issue was limited to their camera technology platform. While we worked on this issue with Xiaomi, we made the decision to disable all Xiaomi integrations on our devices. We understand this had a significant impact on users of Xiaomi devices but the security and privacy of our users is our priority and we felt this was the appropriate action.
We're re-enabling Xiaomi device integrations for everything but camera streaming after necessary testing has been completed. We will not reinstate camera functionality for Xiaomi devices until we are confident that the issue has been fully resolved. We'll keep you updated with information as more becomes available to share. UPDATE: Speaking to Engadget, Xiaomi says that the issue occurred due to a cache update, which made the stills pop up if a user had that camera and that display under poor network conditions. According to the company, only 1,044 users had this setup with a "few" experiencing the poor network connection that would make it appear, and they have fixed the issue on their end. The full statement is available on Engadget's report.
Re: Has to be recycled equipment if it's a cache i (Score:2)
Re: (Score:2)
Re: (Score:2)
I think they meant shitty cachet . I have a Xiamoi device that tracks my steps and my sleep. I know it sends my data back to China, but I care about my privacy so I don't pair it with a Google Home device (just my Android phone) because I really don't care that much anymore.
As for shitty cachet the Mi Band has it. Nothing says "prestige" like sporting a $35 fitness/sleep tracker.
Re: (Score:2)
It must be a local cache if it's used in poor network conditions. So they are downloading random people's images to your local cache?
Re:Has to be recycled equipment if it's a cache is (Score:4, Insightful)
No, I am pretty sure they mean a server-side cache. Assume your camera drops off the network, then the server would just serve that last received image. Except it wasn't an image from your camera...
It also demonstrates that they have nearly no security on the server.
Re: (Score:1)
E.g. user (1) has a bad network connection and has been assigned an ID post sign in. Server (not cache) times out the connection, reassigns the ID to user (2), perhaps due to bad sharding or because somebody stupidly chose a non UUID.
Now either
i) cache serves image from (2) to (1) before the user (1) session is marked as not authenticated.
ii) cache serves image from (1) to (2) due to cache not being made aware yet that the user has changed (probably as
the explanation sounds like placeholders? (Score:2)
which would be actually believiable.
Re: (Score:2)
These aren't placeholders. The video I've seen shows a corrupted image arguably from another user's camera, and not something you'd show as a placeholder.
Xiaomi's explanation doesn't make much sense given the symptoms -- why would caching produce issues only when the network is problematic, and then return corrupted images? (Usually, when I see "caching," I think: You messed up your CDN configuration and are allowing the CDN to cache private data, but that isn't the case here.)
My best guess given the sympto
It still points out the power of public shaming (Score:5, Insightful)
A bug report filed with most companies will be put in the "queue" to investigate (someday).
When vulnerabilities are posted to social media sites with high readership, some companies will finally pay attention...
Re: (Score:2)
The feeling is mutual. (Score:1)
I disabled Google on all my devices.
Because I do not suck Trump dick.
(And if you are now stupid enough, to assume that must mean I side with the "other side", then just please, for all of us, just put yourself down.)
ring ring (Score:1)