Having fun with IoT: Reverse Engineering and Hacking of Xiaomi IoT Devices

Conference:  Defcon 26



The presentation discusses the vulnerabilities found in the Xiaomi IoT ecosystem and the best practices for securing IoT devices.
  • Xiaomi claims to have the largest IoT ecosystem with over 85 million devices and 800 different models
  • Not all products labeled as Xiaomi are actually from Xiaomi
  • The communication protocol between devices and the cloud uses unique device IDs and keys
  • The cloud protocol uses JSON-formatted messages
  • The presentation emphasizes responsible disclosure and the importance of securing IoT devices
  • Best practices for securing IoT devices include not using untrusted sources, being cautious of open Wi-Fi access points, and not installing rooted firmware from untrusted sources
The presenter shares an anecdote about a user who modified their device by unsoldering the MMC chip and replacing it with an SD card to double the device's space. The presenter notes that while this is impressive, it is not recommended for everyone and can lead to security vulnerabilities.


While most IoT accessory manufacturers have a narrow area of focus, Xiaomi, an Asian based vendor, controls a vast IoT ecosystem, including smart lightbulbs, sensors, cameras, vacuum cleaners, network speakers, electric scooters and even washing machines. In addition, Xiaomi also manufactures smartphones. Their products are sold not only in Asia, but also in Europe and North America. The company claims to have the biggest IoT platform worldwide. In my talk, I will give a brief overview of the most common, Wi-Fi based, Xiaomi IoT devices. Their devices may have a deep integration in the daily life (like vacuum cleaners, smart toilet seats, cameras, sensors, lights). I will focus on the features, computational power, sensors, security and ability to root the devices. Let’s explore how you can have fun with the devices or use them for something useful, like mapping Wi-Fi signal strength while vacuuming your house. I will also cover some interesting things I discovered while reverse engineering Xiaomi's devices and discuss which protections were deployed by the developers (and which not). Be prepared to see the guts of many of these devices. We will exploit them and use them to exploit other devices.