Desiring a bedside lamp with a remote control, [Peadar]’s wife bought a Xiaomi Yeelight, an LED model with an accompanying Android app. And since he’s a security researcher by trade, he subjected the app to a close examination and found it to be demanding permissions phoning home to a far greater extent than you’d expect from a bedside light.
His write-up is worth a read for its fascinating run-through of the process for investigating any Android app, as it reveals the level to which the software crosses the line from simple light-controller into creepy data-slurper. The abilities to create accounts on your device, download without notification, take your WiFi details and location, and record audio are not what you’d expect to be necessary in this application. He also looks into the Xiaomi web services the app uses to phone home, revealing some interesting quirks along the way.
This story has received some interest across the Internet, quite rightly so since it represents a worrying over-reach of corporate electronic intrusion. It is interesting though to see commentary whose main concern is that the servers doing the data-slurping are in China, as though somehow in this context the location is the issue rather than the practice itself. We’ve written before about how some mildly sinister IoT technologies seem to bridge the suspicion gap while others don’t, it would be healthy to see all such services subjected to the same appraisal.
As a postscript, [Peadar] couldn’t get the app to find his wife’s Yeelight, let alone control it. That the spy part of the app works while the on-the-surface part doesn’t speaks volumes about the development priorities of its originator.
Image: Xiaomi Yeelight website.
Creepy, I’d send that thing to the ‘strip for parts’ pile straight away, might give the control chip a wack with a strong magnet on the way.
If it is running on Android (or ioS) there is already a massive layer of tracking and snooping built-in (for free)
I’d like to add some clarification on this. Sure, he was using this for bluetooth lights, but this app also is used for Wifi bulbs. I have scanned these quite a bit and yes it is very chatty. But Yeelight has a “developer” mode that you can enable which makes you not need this app or any external communication.
Somehow sent before I was finished. I wouldn’t trust any app that calls out, let alone any IoT device, but you can help protect yourself from any of these by simply enabling developer mode and not allowing any external communication to and from these devices if you must use a device like this.
Standard procedure for every app released in/by the middle kingdom.
Why this xenophobia? US-based Intel, AMD are selling chips with NSA-backdoor included, Microsoft Windows 10 is calling home, and I don’t want to know about Google, Yahoo, Apple, Amazon, Facebook, etc.
All big corps are doing this because there is no regulation to prevent this, and your information is money.
Remember, when it’s free, it means that YOU are the product.
Not xenophobic at all , live work and raise the extended family here 20+ years,the only difference between US based corporations and others there is public oversight, compared to non transparency here.
Public oversight over Intel ME? Are you joking?
That article is pretty wrong, and he received a response from xiaomi regarding his concerns.
All the wifi related stuff is used for device discovery, this is how wifi enabled lights work. The microphone isn’t really listening, it’s the ok Google hotword not working on emulator, the mic is used for a function the syncs the light to music the phone hears. Account permissions are used for the cloud synchronized mi account.
Overall there are some really bad Chinese iot devices, but this one isn’t it.
xiaomi send a responce so everything is ok?
How naive are you?
Doesn’t say much for his tech skills if he couldn’t get the app to work!
(Mine works rather well, and the Wi-Fi connection is to allow operation of devices via app from outside the home).
While there are serious issues with data protection / security when it comes to China (talking about the new data protection act nobody really seems to fully understand and no clarification from official side is provided, even when asked for) … I find the China-bashing in comments peculiar, too.
I recently set up a new web server. It took me about 6 hours to get the services running that I needed for a specific task. Over those 6 hours the server got attacked from almost 100 different IP addresses (it only had a public IP4 address, no public record entry of any kid yet). Of those IP addresses only a small part originated in China (20%?), most actually where US and South America based, some Russian, some South European, some Turkey. Yes, I know that IP spoofing, proxying and hacked servers all around the world are a thing. I am merely stating my experience that “all around the world” is a thing, too. It’s not always just the Chinese.
And with that bombshell, it’s time to end the show.
I’ll literally bet my balls most of the non Chinese or Russian IP’s are from botnetted IoT devices that has laughable security.
Go back to before the “Internet EVERYTHING” trend made tech illiterate people buy lots of insecure Internet enabled tech and you’d see China, Russia and similar countries dominate the list.
I have months of firewall logs that provide deeper analysis opportunities.. Probes on ports specific to ms sql server, LDAP, SMTP, etc. come from IP addresses that are not scanning a range of ports. They check a single port and never come back. Searching those same IP addresses on Dshield.org, those IP addresses are not reported by more than a few other participating firewall admins if any at all. Instead of compromised hosts drawing network attention by portscanning all ports across many hosts on the network, attackers have distributed their scans across vast botnets with no single entity performing enough work to get itself blacklisted. These botnets are comprised of iOT devices around the world like these lamps and even their companion Android phone apps. Hacked servers are likely minority participants in these botnets as their value is in data gathering, not recruiting additional bots.
Well, by the term “attacked” I wasn’t referring to portscans but actual hacking attempts (login attempts for vulnerable website-systems-for-dummies like Typo3, WordPress and the like, 587/25 SMTP DOS attacks and more). Runs on port 80 were changing identification labels (gecko, mozilla etc) for every other attempt (which does sound script-ish, true).
I have been active on the internet since gopher times and in my experience the USA has always been very close to the top of the list when it comes to being the source of attacks, abuse of services etc. I am simply not a fan of that “the Evil Eastern” attitude and just need to state: Those guys “in the west” are NOT the good ones, either.
China apps are often very unsecure.
See my findings on 140000 ip webcams that can be controlled and watched arround the world
https://youtu.be/gQQqWXQOKEE
Depending on whether [Peadar] analysed the Mi Home or the Yeelight app (they don’t state which, oddly) some of those permissions and behaviours can be explained away by the fact it controls so many devices. Heck my vacuum cleaner is controlled by the Mi Home app.
It’s the Yeelight app, but it too can control many different types of lights
From the comments on his page:-
YEELIGHT
Dec 22
Hi Peadar, thank you for your mail to us.
Below are our responses regarding your questions about the Yeelight app.
1. Why would the Android application for Bluetooth LED lamp need to scan for Wi-Fi?
Aside from the Bedside Lamp, the Yeelight app supports many other devices, and is used across products that are Bluetooth-enabled, Wi-Fi enabled, and some that support both Bluetooth and Wi-Fi.
2. Regarding some of the permissions Yeelight app asks for:
● AUTHENTICATE_ACCOUNTS:This is to allow those using MIUI to automatically log in to their Xiaomi accounts on the Yeelight app.
● DOWNLOAD_WITHOUT_NOTIFICATION:This is used for downloading the Bluetooth device firmware, so users won’t see the download process in the notification bar. This implementation is common across products in the IoT space.
● ACCESS_COARSE_LOCATION:From Android 6.0 onwards, apps must have the ACCESS_FINE_LOCATION or ACCESS_COARSE_LOCATION permissions to access the hardware identifiers of nearby external devices via Bluetooth and Wi-Fi scans (https://developer.android.com/about/versions/marshmallow/android-6.0-changes.html). This is therefore necessary for the Yeelight app to add devices.
● KILL_BACKGROUND_PROCESSES; GET_TASKS: The app consists of many processes, some running in the background. These permissions allow the Yeelight app to manage these processes, and avoid situations where the system stops a necessary process.
● RECORD_AUDIO: Some Wi-Fi products supported by the Yeelight app come with a feature that allows the product to respond to music. To use this feature, the app needs this permission to turn on the microphone. This is not used for the Bluetooth-only products.
3. Code showing SSID and MAC address
The code is part of MtaSDK, which is a Mobile App Analytics tool, used to improve software quality. This tool is part of a third-party library used in the Yeelight app to enable integration with WeChat. However, the data analytics interface is never used in the Yeelight app so no data will be collected.
4. Regarding code with the terms “newtorkId”, “ssid”, “bssid”, “password”
The Yeelight app supports various Wi-Fi-enabled products. When a user sets up such a device, the device goes into AP mode, which means it becomes an access point which the Yeelight app searches for, so it can connect to the device easily. This is not used to search for surrounding SSIDs from routers.
5. Regarding XMPushService:
This is part of the Android MiPush SDK, which is used to notify users about changes in the device.
6. Regarding LogCollectionService
As the user correctly observed, there was no log upload associated with the code seen here. This feature will not, under any circumstances, upload log files without the knowledge of the user. This feature is only used in debug mode, and is used for internal testing.
7. Regarding audio recording
As mentioned in the permissions explanation above, some Yeelight Wi-Fi products use the mic on the smartphone to respond to music. However, the Yeelight app DOES NOT record audio upon startup. The screenshot provided appears to be showing a Google service trying to record audio and failing to do so (ErrorProcessor: Caused by: com.google.android.apps.gsa.shared.exception.GsaIOException), and not the Yeelight app.
If you have any inquiries related to our products, feel free to visit Yeelight Forum at http://forum.yeelight.com/, where you will find a dedicated engineer team for technical support.
…..
seems legit?
Thanks for the clarification.
Agreed. Seems fine.
I like the fact that their products have the “LAN” mode where you can talk to the device’s API directly. Once you have used the app to configure your lights to connect to WiFi by themselves you don’t need the app at all. e.g. Home Assistant.
Didn’t OnePlus just get in a lot of trouble in the court of public opinion for doing a similar thing with their phones?
Simple fix: Don’t buy this crap. Seriously, a bed light controlled with your smartphone??? Are you taking your smartphone even to bed? Just buy some generic small IR-control and stuff it inside such a thing, no more tracking and the battery of the controller will last much longer than the one of your phone.
And i don’t care if it’s China or the NSA oder somebody else spying on me, it’s always bad and i don’t want it!!
If only bedside lights came with some sort of physical switch that you could use to turn them on or off.
Hrm, maybe I should do a Kickstarter, but that’d probably fail ‘cos there’s no IoT-Blockchainy stuff.
Illumify: the creative, blockchain-verified, App-controlled Internet of Things illumination platform. Customizable just for you. Generic Bootstrap website full of circular portraits of 20-something tech hipsters and crowdfunding campaign coming soon.
I’ve always maintained that we need line-level veto on permissions in Android. Someday the world will agree. But maybe not Google. Of course that makes the apps a bit harder to write, but since it’s just shutting off functionality for a given (lack of) permission it shouldn’t be that big of a deal.
You know, a bedside lamp doesn’t need internet access. A simple bedside lamp, using a standard incandescent bulb
is one of the most simple circuits available. A simple switch makes or breaks the connection. No IOT, no internet,
no spying, nothing. I have nothing IOT in my house, no Alexa, no Google, etc. Just a PC. What I have works for me.
No colour change, no dimming, no timed dimming.
I got one of these a couple of years back, and the hardware is quite nice. I’m dubious about Chinese apps (and PSUs) so it’s been sat in my to-do pile with the intent of working out the gatt commands used. Maybe now is the time to dig it out…
I’ve been looking for it, how much is it? Did she bought it online?
I never thought that far, the worst possible could happen but it seems that it is very hard to find..