The vacuum creates detailed maps of your home and takes photos during every cleaning cycle, but Xiaomi's privacy policy never tells you this data is being collected or sent to their servers. Security researchers proved the vacuum works perfectly fine without sending any data to the cloud, so this data collection serves Xiaomi's interests, not yours. Xiaomi says they don't sell your data, but the app that controls your vacuum has 8 hidden trackers from companies like Facebook and ByteDance (TikTok's parent company). These trackers collect information about you and your devices to serve targeted ads. Your robot vacuum data is feeding the same advertising networks that track you across the internet.
What they claim: Xiaomi Mi Home privacy policy lists data collected including device IDs, IMEI, IMSI, MAC address, location, and IP address — but makes NO mention of LiDAR room mapping data or camera image collection, despite the X10+ having both a LiDAR scanner that creates detailed floor plans and an 8MP camera that captures images during every cleaning cycle.
What we found: POLICY: Mi Home privacy policy (cnbj1.fds.api.xiaomi.com) lists collected data categories: account info, device info (IMEI, IMSI, MAC, DID), location data, network/usage data, and an ECV value. No category mentions room maps, floor plans, LiDAR data, camera images, or obstacle avoidance imagery. FIRMWARE: The X10+ (dreame.vacuum.p2114a) contains LDS LiDAR for room mapping and an 8MP RGB front camera. Dennis Giese research and the Dustcloud project confirmed that Xiaomi vacuums transmit mapping data to cloud servers (ot.io.mi.com). Valetudo custom firmware proves all vacuum functions work without cloud, meaning this data transmission is not operationally necessary.
What they claim: Xiaomi Home app requests CAMERA, RECORD_AUDIO, and READ_PHONE_STATE permissions that are completely unnecessary for controlling a robot vacuum.
What we found: APP: Xiaomi Home (com.xiaomi.smarthome) requests 52 permissions including CAMERA (access device camera), RECORD_AUDIO (record via microphone), READ_PHONE_STATE (access phone identity/call info), READ_PRIVILEGED_PHONE_STATE, TRANSMIT_IR, NFC, GET_ACCOUNTS, USE_BIOMETRIC, INTERNAL_SYSTEM_WINDOW, START_ACTIVITIES_FROM_BACKGROUND, STATUS_BAR_SERVICE, AD_ID. FIRMWARE: The X10+ vacuum has its own 8MP camera and communicates via WiFi and Bluetooth. The vacuum does not require the phone's camera, microphone, or phone state to function. The RECORD_AUDIO permission is particularly concerning given the LidarPhone research showing LiDAR sensors can be repurposed for acoustic eavesdropping.
What they claim: CVE-2024-45352 code execution vulnerability in Xiaomi Home app creates a direct path from remote attackers to vacuum control, while the vacuum runs a full Linux OS with root access achievable via known methods.
What we found: FIRMWARE: The X10+ runs OpenWRT/Tina Linux kernel 4.9.x with root access achievable since Q4 2022. CVE-2023-26323 (CVSS 9.8) allows arbitrary code execution via Xiaomi App Market. The vacuum connects to Xiaomi cloud servers for command and control. APP: CVE-2024-45352 is a code execution vulnerability in com.xiaomi.smarthome caused by improper input validation. An attacker exploiting this can execute code on the user's phone, potentially intercepting vacuum control commands, room mapping data, and camera feeds. Combined with the vacuum's rootable Linux OS, this creates a chain: compromise app -> access vacuum -> access home floor plans and camera imagery.
What they claim: The X10+ LiDAR sensor is theoretically susceptible to acoustic eavesdropping via the LidarPhone attack, while Xiaomi markets it purely as a navigation feature.
What we found: FIRMWARE: The X10+ uses LDS (Laser Distance Sensor) LiDAR for room mapping with the same fundamental technology as the Roborock S5 used in the LidarPhone proof of concept. The vacuum runs rootable Linux with known exploit paths. REGULATORY: LidarPhone research (ACM SenSys 2020) demonstrated 91%% digit classification and 90%% music classification accuracy by repurposing vacuum LiDAR as a laser microphone. While requiring device compromise, the rootable nature of the X10+ (Dustbuilder support since Q4 2022) and app vulnerabilities (CVE-2024-45352) lower the barrier. Xiaomi's product page markets the LiDAR as "Advanced LDS Laser Navigation" with no disclosure of dual-use surveillance potential.
What they claim: Xiaomi Home app contains 8 embedded trackers including advertising networks (Pangle/ByteDance, Facebook Analytics) and Chinese analytics (Bugly/Tencent, Tencent Stats, JiGuang JPush), while Xiaomi's privacy policy states "We do not sell any personal information to third parties."
What we found: APP: Exodus Privacy report for com.xiaomi.smarthome identifies 8 trackers: Bugly (Tencent crash reporting), Facebook Analytics, Facebook Login, Facebook Share, Google Firebase Analytics, JiGuang Aurora Mobile JPush (Chinese push service), Pangle (ByteDance ad network), Tencent Stats. Pangle is ByteDance's advertising SDK that collects device data for targeted advertising. POLICY: Mi Home privacy policy states Xiaomi does not sell personal information but acknowledges sharing with "affiliated companies" and "Xiaomi Ecosystem companies." The presence of advertising trackers like Pangle means user data flows to third-party ad networks regardless of whether it constitutes a "sale" under privacy law.
What they claim: The X10+ connects to 9 Xiaomi cloud endpoints including servers in Beijing (cdn.cnbj1.fds.api.mi-img.com) while Valetudo custom firmware proves all vacuum functions work without any cloud connectivity.
What we found: FIRMWARE: Hardcoded endpoints include ot.io.mi.com, ott.io.mi.com, de.ot.io.mi.com, sg.ot.io.mi.com, us.ot.io.mi.com, cloud.mi.com, and cdn.cnbj1.fds.api.mi-img.com (Beijing CDN). The vacuum transmits room maps, cleaning schedules, and telemetry to these servers. REGULATORY: Dennis Giese and the Valetudo project demonstrated that Xiaomi vacuums work with full functionality (navigation, cleaning, scheduling) without any cloud connection. This proves that cloud data transmission is not required for device operation and serves Xiaomi's data collection interests. The device connects to Beijing servers even for users in Europe, despite Xiaomi claiming GDPR compliance with EU standard contractual clauses.
What they claim: Xiaomi Home app embeds AD_ID permission and Pangle (ByteDance) advertising tracker in an app that controls a robot vacuum with LiDAR home mapping and camera capabilities.
What we found: APP: com.xiaomi.smarthome requests AD_ID (Google advertising identifier) and contains Pangle tracker — ByteDance's ad SDK that collects device data for targeted advertising across the TikTok ad network. Also contains BILLING permission for in-app purchases. FIRMWARE: The vacuum collects detailed home layout data via LiDAR and captures images of home interiors via 8MP camera. Combined with advertising trackers, this creates a profile linking: home floor plan dimensions, furniture placement, cleaning schedules (indicating when residents are home/away), and traditional device fingerprinting data — all feeding into ad networks operated by ByteDance (China) and Meta (Facebook).
What they claim: Xiaomi Home app uses JiGuang Aurora Mobile JPush (Chinese push notification service) that routes through Chinese infrastructure, while Xiaomi claims GDPR compliance for European users.
What we found: APP: com.xiaomi.smarthome contains JiGuang Aurora Mobile JPush tracker — a Chinese push notification service operated by Aurora Mobile Limited (Shenzhen). JPush maintains persistent connections to Chinese servers for push delivery. Also contains Bugly (Tencent) and Tencent Stats trackers. REGULATORY: Xiaomi IoT Privacy White Paper claims EU standard contractual clauses for GDPR compliance and operates a German data centre for EU users. However, the embedded Chinese SDKs (JPush, Bugly, Tencent Stats) establish direct connections to Chinese servers independent of Xiaomi's stated data centre infrastructure, potentially bypassing GDPR transfer safeguards.
What they claim: Xiaomi Mi Home privacy policy collects an opaque "ECV" value derived from multiple identifiers while the app also requests AD_ID and contains advertising trackers, enabling cross-device tracking.
What we found: POLICY: Mi Home privacy policy discloses collection of an ECV value described as derived from "Xiaomi Account ID, phone device ID, connected Wi-Fi ID and location value" — a composite identifier that links user identity, device, network, and location into a single trackable value. APP: com.xiaomi.smarthome requests AD_ID (Google advertising identifier) and contains 8 trackers. Combined with ECV, this enables: linking vacuum usage to advertising profiles, correlating home WiFi with ad targeting, and building a cross-device graph tying vacuum, phone, and online activity. The policy does not explain what ECV is used for or who has access to it.
What they claim: Lithuanian National Cyber Security Centre found Xiaomi devices secretly collect up to 61 data points and contain censorship capabilities that can be remotely activated, contradicting Xiaomi's privacy policy claims of transparent data collection.
What we found: REGULATORY: Lithuanian NCSC 2021 report found Xiaomi phones collected 61 data points via Mi Browser sent to Google Analytics and Chinese servers, and contained a censorship module for 449 keywords that could be remotely activated without user knowledge. Encrypted SMS sent to Xiaomi servers on Xiaomi Cloud activation was hidden from device owner. POLICY: Mi Home privacy policy lists specific data categories collected but does not disclose the full extent of 61 data points identified by Lithuanian researchers. Policy states data processing is transparent and lawful. The censorship infrastructure demonstrates Xiaomi has capability for covert feature activation across their ecosystem, including IoT devices controlled by the same app platform.
What they claim: The vacuum's 8MP front camera captures images of home interiors during obstacle avoidance, but the privacy policy contains no provisions for camera data handling, storage, or deletion.
What we found: FIRMWARE: The X10+ has an 8MP RGB front camera used for 3D obstacle recognition. During every cleaning cycle, this camera actively captures images of the home interior to identify and avoid objects. The vacuum also has a line laser for depth sensing. POLICY: Mi Home privacy policy lists collected data including device IDs, location, and network information but contains no specific provisions for: camera image collection, image storage duration, image processing location (local vs cloud), image sharing with third parties, or user rights regarding camera data. There is no mechanism for users to review, export, or delete camera images captured by their vacuum.