Aqara says your data stays in your home network, but the hub secretly sends unencrypted personal information to cloud servers without telling you. Anyone on your network — or between your home and their servers — can read this data. The hub has a hidden backdoor that lets anyone on your network run any command on the device with full administrator access. Aqara has not fixed this on the Hub M2 even after patching other models. This means someone could take complete control of the hub that manages all your smart home sensors.
What they claim: Aqara markets Hub M2 as prioritising "offline-first design" and "local control" that "keeps your data inside your home network." Privacy policy states data on local servers "will not be directly transmitted back to mainland China without data desensitization."
What we found: CVE-2025-65297 (CVSS 7.5): Security research confirmed Hub M2 firmware 4.3.6_0027 automatically collects and uploads unencrypted sensitive information without disclosure or consent. Data is transmitted over networks without encryption, exposing it to interception. The hub phones home to *.aqara.com, *.lumiunited.com, and *.mi.com by default.
What they claim: Aqara Hub M2 is a Zigbee hub and IR remote controller. Its core function is coordinating smart home devices — it has no camera or microphone hardware.
What we found: Aqara Home app (v6.1.3) requests CAMERA and RECORD_AUDIO permissions despite the Hub M2 having no camera or microphone. Also requests ACCESS_BACKGROUND_LOCATION, ACCESS_FINE_LOCATION, and READ_PRIVILEGED_PHONE_STATE — none of which are needed for Zigbee hub control. The app requests 42 permissions total for a device whose primary function is toggling Zigbee switches and reading sensor data.
What they claim: Aqara promotes HomeKit certification as evidence of security, and their security blog describes how "Aqara keeps your devices safe" with secure communication protocols.
What we found: CVE-2025-65291 (CVSS 7.4): Hub M2 fails to validate TLS certificates for discovery and CoAP gateway communications. CVE-2025-65290 (CVSS 7.4): Fails to validate certificates during HTTPS firmware downloads. CVE-2025-65295 (CVSS 8.1): Firmware updates are not properly signed, using outdated cryptography. Together these mean an attacker can intercept and modify device communications and install malicious firmware.
What they claim: Aqara Home app integrates 13 third-party SDKs including Google, Facebook, Sensors Data, and push services for Xiaomi, OPPO, and vivo. App requests ACCESS_ADSERVICES_AD_ID and ACCESS_ADSERVICES_ATTRIBUTION for ad tracking.
What we found: The Hub M2's Exodus Privacy report shows 0 code-level trackers in the APK, but the privacy policy discloses 13 SDK integrations for analytics and advertising. The app requests ad tracking permissions (ACCESS_ADSERVICES_AD_ID, ACCESS_ADSERVICES_ATTRIBUTION) for a smart home hub controller — a device category where advertising has no legitimate purpose. Combined with the hub's unencrypted data transmission (CVE-2025-65297), this creates a data pipeline from home sensors to advertising networks.
What they claim: Aqara Home app requests RECORD_AUDIO permission. The Hub M2 has no microphone hardware.
What we found: FCC filing 2AKIT-HM2-G01 confirms Hub M2 hardware: WiFi, Zigbee, BLE, and IR blaster — no microphone. Yet the companion app requests RECORD_AUDIO, which can activate the phone's microphone while the app runs in background (also requests RECEIVE_BOOT_COMPLETED for auto-start and FOREGROUND_SERVICE for persistent background operation). The app could record audio through the user's phone while appearing to be a hub controller.
What they claim: Aqara privacy policy states: "We do not sell any personal information to third parties."
What we found: Aqara Home app requests ACCESS_ADSERVICES_AD_ID and ACCESS_ADSERVICES_ATTRIBUTION — Google's advertising attribution framework. Privacy policy discloses 13 SDK integrations including Facebook and Google analytics. While technically not "selling" data, sharing device usage patterns with advertising platforms through SDK integrations creates a data flow to third parties that enables targeted advertising based on smart home behaviour patterns.
What they claim: Aqara privacy blog states Hub M2 has "offline-first design" and "doesn't force your data into the cloud — everything stays local, which is a huge win for privacy-conscious families."
What we found: Community forum post (forum.aqara.com) titled "How to Make Aqara Devices Work 100% Locally" confirms devices send data to cloud by default. To achieve local-only operation, users must: block outbound traffic at router, block *.aqara.com/*.lumiunited.com/*.mi.com DNS, use Home Assistant instead of Aqara app, and never sign into the Aqara app. Standard setup process (app download, account creation, device pairing) results in data being sent to Lumi cloud servers.
What they claim: Aqara markets Hub M2 as a secure HomeKit-certified hub for privacy-conscious smart home users. Product page describes it as "our most advanced and future-proof smart home hub."
What we found: CVE-2025-65294 (CVSS 9.8 Critical): The ha_master binary contains an undocumented CoAP endpoint (/lumi/gw/rpc) that accepts 17 command types including system_command and system_run, executing arbitrary shell commands with root privileges. No authentication required beyond CoAP encryption. Hub M2 remains UNPATCHED even after firmware V4.3.8 was released for other models.
What they claim: Aqara privacy policy states data centers are in China, US, Germany, Singapore, Korea, and Russia. Policy claims data from local servers will not be transmitted to China "without data desensitization."
What we found: CVE-2025-65297 confirms the hub transmits data unencrypted. The hub connects to endpoints including aiot-coap.aqara.cn and aiot-rpc.aqara.cn (Chinese domains). Under China's National Intelligence Law (Article 7, 2017), Lumi United Technology (Shenzhen) may be compelled to provide data to intelligence services. The Hub M2 coordinates up to 128 Zigbee sensors mapping door open/close, motion, temperature, and occupancy across an entire household — creating a comprehensive behavioural map.
What they claim: Aqara Hub M2 FCC filing (2AKIT-HM2-G01) confirms compliance with FCC Part 15 rules. HomeKit certification implies Apple-level security vetting.
What we found: CVE-2025-65292 (CVSS 7.3): Command injection via malicious domain names gives attackers root access. CVE-2025-65294 (CVSS 9.8): Undocumented remote execution endpoint in firmware. 7 CVEs disclosed in December 2025 affecting Hub M2 specifically. Despite FCC compliance and HomeKit certification, the firmware has fundamental security flaws including a hidden root shell accessible via CoAP. The security research by Chapoly1305 demonstrates that regulatory certification and HomeKit approval did not catch these vulnerabilities.