back to article Don't Xiaomi pics of other people's places! Chinese kitmaker fingers dodgy Boxing Day cache update after Google banishes it from Home

Xiaomi has blamed some post-Christmas cache digestion problems after finding itself plonked on the naughty step by Google – which blocked the Chinese tech conglomerate's devices from its Nest Hub and Assistant last night. This follows a shocking glitch where one Xiaomi Mijia security camera owner was able to peer into the …

  1. Ryan 7

    So reading between the lines on their statement...

    I guess they were using a short integer of some sort to store the cache ID, which was intended not to overlap when it loops... unless the request is very delayed by a shitty connection?

    Just use a UUID or similar, FFS!

    Oh, and probably close the security hole where I can presumably insert someone else's cache ID into an unauthorised request.

    1. Anonymous Coward
      Anonymous Coward

      Re: So reading between the lines on their statement...

      There's an infinite expanse of "FFS" extending out in many dimensions.

      Some companies put v4 UUIDs on all objects because it's difficult to make their choice of ORM software fetch generated IDs from the database. Generating a good v4 UUID is, of course, incredibly slow so they globally replace the secure random number generator with a pseudo-random number generator. Sometimes they don't even chose a PRNG that can create enough unique values to store the expected number of objects.

      Posting as anon so the guilty may fail by running out of UUIDs rather than getting exploited.

  2. Mephistro Silver badge
    Big Brother

    My apologies for stating the obvious:

    The cache wasn't being kept in the owner's smartphone, as they could access other people's pictures.

    Therefore an important question is whether said cache was kept and managed in Google servers or in Xiaomi ones.

    And a more important question is why-the-eff said cache was accessible without password + encryption.

    This was no bug, it was a feature.

    1. SloppyJesse

      Re: My apologies for stating the obvious:

      Sounds like an app bug that revealed an architectural flaw feature.

      1. Mephistro Silver badge

        Re: My apologies for stating the obvious:

        "My God, it's full of stars dominoes!"

        ;^)

  3. Blockchain commentard Silver badge
    Facepalm

    So, I can use this when the missus catching me on camera banging the babysitter - 'honest love, it's a well known feature, must be someone else'.

    Makes my year :-)

  4. Sammy Smalls

    Why use this stuff?

    Aren’t there enough stories of privacy ‘mishaps’ happening with sensitive devices like this to make them generally a bad idea?

    1. PaulR79

      Re: Why use this stuff?

      The simple answer is something about the product appeals to the buyer. Some might understand and accept the privacy risks for peace of mind to watch property or check a babysitter, for example, isn't swinging their baby around like a flag. There are others who will just see it, not fully understand the possible privacy risks and think it's 'cool' or another vernacular. They just want one or were impressed when someone showed it to them / they saw a demo.

      I don't need an Echo Dot. I wanted one so I got one. I'm aware that it's effectively a live mic 24/7 listening for an action word but it offers convenience on some things. I may not end up using it much at all so for me it's exploring the tech and lazily turning my light on and off right now. I delete the recordings and have to trust that they are purged when I do so. If not, well, Amazon and co are welcome to hear me demand my lights be turned on and off.

      1. NetBlackOps

        Re: Why use this stuff?

        With zero chance of a love life, no visitors, they can listen to me talking to my cat! That and swearing at my computers.

        1. spold Silver badge

          Re: Why use this stuff?

          You shouldn't have put such a clear privacy notice on your door - you probably scared everyone off. If you make it 64 pages long and finish it off "by pressing the doorbell I confirm I have read and understood..." then everyone will ignore it and press your doorbell anyway, so accepting it; you will likely get more visitors, possibly even a love life (ditch the christmas sweater now).

          You likely have an indoor cat, and I'm sure the policy states that anyone inside is deemed to have accepted the policy, hence you still have a cat. Cats, like humans, will generally sell their privacy for tuppence anyway, or in this case likely a kitteh treat.

          1. NetBlackOps

            Re: Why use this stuff?

            A belly rub.

  5. Slx

    Internet enabled cameras in private areas of your house. What could possibly go wrong?

    I don't quite understand the market for some of these things. We lived for millennia without any need to install cameras in the private areas of our homes and all of a sudden we're voluntarily installing devices connected to the world's largest data slurping companies and often made by or connected to a bunch of Chinese manufacturers, who may or may not have connections to one of the most Big Brother authoritarian states to have ever existed and somehow that's all fine.

    I would be extremely uncomfortable with CCTV systems inside my home. I don't really have a bit issue with them in public spaces where you don't have an expectation of privacy, but in your home?!

    I know my alarm company in Ireland started to offer motion detectors with cameras as standard with their systems and they lost my business after decades of service as I wouldn't have such creepy technology anywhere near the inside of my home.

    If you want to mount internet connected, cloud based camera systems onto the interior walls of your home, in my view, you've idiotically torn up any notion of privacy in the home and opened you private life and space to glitches, hacks and malevolent behaviour by all sorts of actors.

    1. MNB

      Re: Internet enabled cameras in private areas of your house. What could possibly go wrong?

      Just because it has motion detection neither means nor requires an internet connection to t'cloud. Unless of course the feature was "upload of motion" not motion detection itself. All the motion detection actually requires is the ability to compare consecutive frames and a memory card.

      1. JimC

        Re: motion detection neither means nor requires an internet connection to t'cloud

        True of course, but if the reason you've bought motion detecting cameras is to try and trap lowlives thieving from your premises then you do want the image storage off site so that the images don't get stolen with everything else.

        1. whitepines Silver badge
          Boffin

          Re: motion detection neither means nor requires an internet connection to t'cloud

          Well, of course, but it should be encrypted on premises at minimum so that Slurp Inc. can't also trawl through it (or expose the footage to would-be thieves), no?

          I for one won't ever use this kind of tat. Use a Raspberry Pi and upload to a NextCloud instance you have somewhere, that's probably 1000% more secure. Of course, you actually have to pay for it vs. having your data sold to pay for the service, so pick one but don't complain if you pick the "Free!" option and get your stuff stolen or held for blackmail for stuff you thought you did in private (that was Wifey in the video, right? Shame if the HD footage ... surfaced somewhere and showed something ... else... )

      2. Slx

        Re: Internet enabled cameras in private areas of your house. What could possibly go wrong?

        They were a combined device - a motion detector which took a stream of photos or short video bursts when tripped and when the system was armed. These were uploaded and controlled by the company's monitoring centre, without any transparency on how they were connected or hosted and they were not optional in the upgrade to the system, so they lost my business and I went with another supplier entirely, who didn't insist on such overkill.

  6. steviebuk Silver badge

    I'd like someone...

    ...to do test on cleverdog cameras. I think they are a bit shit but got them for the cats. Curious to know how insecure they are as I suspect they have a flaw somewhere. Ironically they state in their t&c that if you find any flaw in their setup. Server or kit, then its not their fault :)

  7. IGotOut
    FAIL

    Nothing new...

    Was doing this sort of crap around the year 2000 with some of he first IP cameras around. You dropped in a specific string into Google an bingo, access to hundreds of cameras around the world. Full control over pan and tilt, which meant you could shove a security camera to face a wall.

    20 years later and the same dumb mistakes are being made over and over

    1. GruntyMcPugh Silver badge

      Re: Nothing new...

      @IgotOut: "string into Google"

      If that's the flaw I recall,... it was because the cgi-bin folder got published and was indexed, and the web cam installer put it's application in there, so if you searched for those files, you got the keys to the kingdom,.. is that the one?

  8. 89724102172714182892114I7551670349743096734346773478647892349863592355648544996312855148587659264921 Bronze badge

    I can see Uranus

    1. TimMaher Bronze badge

      I can’t.

      It’s a bit cloudy around here.

      Must be the smoke blowing in from Oz.

  9. Number6

    I have two basic precautions, one is to be very careful where internet-facing cameras are positioned (all mine are outdoors covering entrances) in case there's a breach and the other is to firewall the cameras from the outside world anyway, because they're set up on the internal network and something else has the responsibility of storing and preserving the generated images and videos. They do email me images when tripped, but that comes via another internal machine.

  10. A random security guy

    Cache access problem without authentication?

    Nowhere did I see any mention of cache access authentication. I think the problem is way deeper and they are just hoping that using unique ID's will make the problem go away. This is what GDPR and CCPA are slowly but surely addressing. I doubt that if the fix is simple else Google would not have disabled integrations; bugs (and even security bugs) occur frequently and are patched all the time. There must have been something more systemic.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020