A Reddit user, Dio-V, was trying to stream footage from his Xiaomi security camera into the display of his Google Nest Hub, when he discovered that he was getting still images from the homes of other people instead.
The Redditor wrote: "When I load the Xiaomi camera in my Google home hub I get stills from other people's homes!!"
Streamed footage from other people's homes
He posted a video and several photos of the breach on the r/googlehome Reddit thread, a user community for discussions related to Google Home and Google Nest Hub.
Here are the photos:
The camera used was the Xiaomi Mi Home Security Camera Basic 1080p.
The Google Nest Hub, for the uninitiated, is a tablet-like smart display with a speaker.
Users can use the Google Nest Hub to control compatible lights, camera, TVs and other devices at home.
Google and Xiaomi responds
A Google employee, identified only by her first name Rachel, has since responded to the thread on Reddit with the following statement:
Late night on January 1st, we were made aware of an issue where a Reddit user posted that their Nest Hub was able to access other people’s Xiaomi camera feeds. We’ve been working with Xiaomi and we’re comfortable that the issue was limited to their camera technology platform. While we worked on this issue with Xiaomi, we made the decision to disable all Xiaomi integrations on our devices. We understand this had a significant impact on users of Xiaomi devices but the security and privacy of our users is our priority and we felt this was the appropriate action.
We’re re-enabling Xiaomi device integrations for everything but camera streaming after necessary testing has been completed. We will not reinstate camera functionality for Xiaomi devices until we are confident that the issue has been fully resolved. We’ll keep you updated with information as more becomes available to share.
According to Xiaomi's statement, the issue was caused by a cache update on Dec. 26, 2019, which was designed to improve streaming quality.
The issue may affect 1,044 users with such integrations under extremely poor network conditions.
The issue will not happen, however, if the camera was linked to the Xiaomi's Mi Home app.
Xiaomi also mentioned that users now will not be able to link their Xiaomi devices with Google devices until the security breach has been fully resolved.
Here's Xiaomi's statement in full:
Xiaomi has always prioritized our users' privacy and information security. We are aware there was an issue of receiving stills while connecting Mi Home Security Camera Basic 1080p on Google Home hub. We apologize for the inconvenience this has caused to our users.
Our team has since acted immediately to solve the issue and it is now fixed. Upon investigation, we have found out the issue was caused by a cache update on December 26, 2019, which was designed to improve camera streaming quality. This has only happened in extremely rare conditions. In this case, it happened during the integration between Mi Home Security Camera Basic 1080p and the Google Home Hub with a display screen under poor network conditions.
We have also found 1044 users were with such integrations and only a few with extremely poor network conditions might be affected. This issue will not happen if the camera is linked to the Xiaomi's Mi Home app.
Xiaomi has communicated and fixed this issue with Google, and has also suspended this service until the root cause has been completely solved, to ensure that such issues will not happen again.
According to Google's statement, they are aware of the issue and are working on fixing it, and have disabled the use of Xiaomi devices with Google devices in the meantime.
We're aware of the issue and are in contact with Xiaomi to work on a fix. In the meantime, we're disabling Xiaomi integrations on our devices.
It is currently unclear how this will affect Singaporean users who may be using a similar set-up at home.
Mothership.sg has reached out to Xiaomi for comment and will update this article when they reply.
Top image via Xiaomi's US website and Dio-V's Reddit thread