It’s time for another Quick Check! This time, we’ve taken a look at the devices that had the IT-SiK, the seal of approval from the BSI. We’re particularly interested in two categories in which we also conduct tests: Smart cameras and smart cleaning and gardening robots. However, within these categories, there are only two devices whose certificates expired on January 31, 2024, and have not been renewed or extended yet. Given our recent experiences with various cameras in the Quick Check, we decided to take a closer look at Xiaomi’s camera. Although it’s priced at 60 euros, slightly more expensive than the last two cameras in the Quick Check, it provides an exciting basis for comparison.
Features
The Mi 360° Home Security Camera 2K Pro, manufactured for Xiaomi Communications Co., Ltd., offers a range of quite impressive features and functions for indoor monitoring.
With a resolution of 3 megapixels and a 360° panoramic view, this camera provides detailed images and comprehensive surveillance of the entire monitoring area. The Low-Light Fill-Color technology enhances visibility in low-light conditions.
The camera features AI-based human detection, allowing it to distinguish between humans and other moving objects. This helps reduce false alarms and enables more precise monitoring.
Furthermore, the Mi 360° Home Security Camera 2K Pro offers physical lens blocking and dual-microphone noise reduction for increased privacy and clear audio recordings.
Connectivity options include Wi-Fi and Bluetooth, enabling easy integration into existing networks. The camera is lightweight and easy to install, weighing only 349 g.
With a resolution of 1296p and a viewing angle of 110°, it provides good detail recognition and coverage of the monitoring area. Recordings can be stored on a microSD card with a capacity of up to 32 GB.
The Mi 360° Home Security Camera 2K Pro is compatible with Android version 4.4 and iOS version 9.0 and above, ensuring wide compatibility.
Overall, the Mi 360° Home Security Camera 2K Pro offers a comprehensive solution for indoor surveillance with various useful features and easy integration into existing systems.
Mobile applications
The corresponding application is the Android app “Xiaomi Home”. This app allows users to both control and communicate with their devices. They can also set up connections between their devices and the network, as well as link the devices to each other.
We reviewed the application (com.xiaomi.smarthome) version 9.2.702 and subjected it to the usual static and dynamic tests.
Enabling cleartext network communications within an Android application exposes transmitted data to potential interception and manipulation by unauthorized parties monitoring network traffic. This poses a significant security risk, particularly when sensitive information like passwords, credit card details, or personal data is involved. Even if the transmitted data isn’t sensitive, the use of cleartext communication remains a vulnerability. Cleartext or plaintext HTTP traffic is susceptible to manipulation through network poisoning techniques like ARP or DNS poisoning. This leaves the door open for attackers to potentially tamper with the app’s behavior, compromising its integrity and user trust. Our recommendation is to always deactivate this function.
Furthermore, the application’s signature is not optimally protected, as all three signature variants (V1, V2, and V3) are signed. This makes it possible to attack the v1 signature, for example, through a Janus vulnerability in Android 5.0-8.0. This leads to the next point: the application can be installed on versions of Android 6.0-6.0.1, [API=23], and newer. However, we recommend only installing on Android version 10, [API=29], as Android devices running this version still receive security updates. (Google only supports versions of Android 12, [API=31]).
Another issue is that the firmware update is not installed automatically. However, it’s positive that the user can manually install it through the app and receive a notification to update.
Additional problems were uncovered during the code analysis.
The detected issues with SharedPreferences are false positives since they are correctly configured and use the value MODE_PRIVATE, which means they can only be read and written by the app itself. From Android version 17 onwards, the other modes that allow global readability and writability are deprecated and not recommended. The places where debugging is enabled should be disabled.
Another issue concerns encryption algorithms. The ciphers used are outdated and have publicly known vulnerabilities that could allow attackers to bypass them. As a result, the encrypted data is no longer secure, and it is recommended to migrate to more secure and up-to-date algorithms.
During our analysis, we also considered the trackers, and compared to the previously tested cameras (A9 Battery IP Camera, WI-FI Panorama Camera), we found that this time there are more trackers. These trackers cover various areas. There are three different trackers analyzing the usage of the application, and one is responsible for app monetization. The Facebook Login tracker is responsible for logging into Facebook, and AutoNavi/Amap is a Chinese provider of web mapping, navigation, and location-based services. Bugly is a software manufacturer specializing in error detection and tracking.
Local and online communication
Before the user can get started; the application requires the user to create an account. For this, an email and a password are needed. However, the requirements for the password are concerning, as only 8 characters and 2-character types are required. It would be advisable to at least follow the recommendations of the BSI by using either a longer password or a combination of at least four character types (uppercase and lowercase letters, numbers, and special characters). However, it’s worth noting the positive aspect of two-factor authentication via a PIN sent by email is a very welcome additional security measure.
Next up is the initialization of the camera. To do this, the user has to press a button to add a new device and allow Bluetooth. Then, the user can scan the QR code on the bottom of the camera. Afterward, the user is asked to choose the Wi-Fi network and connect to it. Initially, the smartphone connects to the camera’s temporary Wi-Fi, and then it connects to the designated network. With that, the camera setup is complete. Of course, the user can also give the camera a name and assign it to a room or group. When operating the camera, the user is now prompted to set a PIN, although this is purely optional. We would appreciate it if this were mentioned during the setup process.
Messages are first sent to a server, whereby the messages look as shown in the picture. Afterwards, the camera is notified. The messages that are sent to the server consist of 5 parameters: data, rc4_hash__, signature, _nonce, and ssecurity. The ssecurity is extracted from a miserviceToken, and the __nonce is created from the time difference between the creation of the token and the current time. These two are then combined and hashed using the SHA-256 algorithm. The hash is then used as a secret key for the RC4 encryption of the data. Finally, the signature is created over the values. This way, the messages are protected against replay attacks by the time difference and against alterations by the signature. Of course, the parameters are converted to base64 for transmission. However, it is worth noting that RC4 already has some known vulnerabilities, and we recommend switching to an algorithm without open vulnerabilities, for example, by using Rabbit, as described here.
The Bluetooth connection can only be used for setup and not for video transmission. Additionally, only one account can be connected to the camera, and to reconnect the camera to a different account, a physical reset must be performed on the camera.
Data protection and privacy
Once again, we took a closer look at the privacy policy.
The privacy policy specifies the contacts for the contact person in the EU as well as a general contact person for all cases via email. Furthermore, there is detailed information on which data is collected from the user, broken down for each function of the product. Additionally, users have the right to access, modify, delete their data, and withdraw their consent for storing new data.
It is emphasized that no data is sold to third parties. However, if third-party solutions such as for localization are used, the data received is encrypted.
A significant drawback is that the privacy policy contains a paragraph that effectively overrides this statement. It is stipulated that the privacy policy of Xiaomi supersedes the privacy policy of Mi Home/Xiaomi Home and in case of discrepancies, the one from Xiaomi takes precedence. Consequently, the user must read and understand at least two privacy policies. Since most users typically do not read the privacy policy or only skim through it, this fact can be easily overlooked.
Furthermore, in our analysis, some trackers were found. However, the privacy policy only mentions Facebook and AutoNavi. Thus, Bugly, Google Firebase Analytics, Pangle, and Tencent Stats are not explicitly mentioned. In our dynamic analysis, however, we could only observe activity from the Facebook tracker and the Google Firebase Analytics tracker.
Finally, some basic data regarding the privacy policy: It consists of 3,441 words with an average of 23.9 words per sentence. The reading time is 4.54 minutes, and the calculated readability of the text according to Flesch-Kincaid is at a college level, meaning that a language understanding equivalent to a completed college degree is required to understand the privacy policy.
Verdict
All in all, the Xiaomi camera is a good product. There are some minor concerns here and there, as mentioned in the code analysis and the privacy policy. This reflects our expectations of the product, which successfully passed the BSI certification test. However, it can also be seen that there is potential for improvement in terms of security. We are therefore unable to give it a top rating. In summary, it is a solid product without any serious problems and a superior solution in terms of security compared to the previously tested products.