Desiring a bedside lamp with a remote control, [Peadar]’s wife bought a Xiaomi Yeelight, an LED model with an accompanying Android app. And since he’s a security researcher by trade, he subjected the app to a close examination and found it to be demanding permissions phoning home to a far greater extent than you’d expect from a bedside light.
His write-up is worth a read for its fascinating run-through of the process for investigating any Android app, as it reveals the level to which the software crosses the line from simple light-controller into creepy data-slurper. The abilities to create accounts on your device, download without notification, take your WiFi details and location, and record audio are not what you’d expect to be necessary in this application. He also looks into the Xiaomi web services the app uses to phone home, revealing some interesting quirks along the way.
This story has received some interest across the Internet, quite rightly so since it represents a worrying over-reach of corporate electronic intrusion. It is interesting though to see commentary whose main concern is that the servers doing the data-slurping are in China, as though somehow in this context the location is the issue rather than the practice itself. We’ve written before about how some mildly sinister IoT technologies seem to bridge the suspicion gap while others don’t, it would be healthy to see all such services subjected to the same appraisal.
As a postscript, [Peadar] couldn’t get the app to find his wife’s Yeelight, let alone control it. That the spy part of the app works while the on-the-surface part doesn’t speaks volumes about the development priorities of its originator.
Image: Xiaomi Yeelight website.