Another representative in our large robot vacuum test is the Roborock S55 from the Chinese manufacturer Xiaomi. The Roborock together with its predecessor are now the most widely used models in this product category. Especially the comparably low price compared to other models and also the representatives in our test, makes the Xiaomi device ideal for many customers new to this segment. On the other hand, there are also many interested customers who explain the low price with poor quality and therefore tend to distrust products from the Chinese market.

The following test report will clarify whether and to what extent the comparably low price of the Xiaomi Roborock S55 is a trade-off for a lack of quality in the area of security and data privacy and how the device compares to Western representatives.

 

Application

The mobile applications for Android and iOS are the same for Xiaomi as for all other Smart Home components. This means that one app provides access and control for all products of the Xiaomi Smart Home family. We have examined the applications in previous tests (e.g. of the Xiaomi Smart Home Set) and always discovered some problems. Even though the number of these problems decreased with newer versions.

The static analysis of the Android app (com.xiaomi.smarthome; v5.4.33) in the first step only revealed the high privilege permissions the app requests. These are for example for mounting and unmounting file systems or changing system security settings. The absolute necessity for normal operation can be doubted, as permission of this kind are originally intended for use in system apps only.

Also typical for many mobile applications (but particularly pronounced in this case) is the sheer mass of third-party SDKs and code modules from e.g. Facebook, Alibaba, Alipay and Tencent. These software components all provide extensive functionality for data collection and extraction. Even if it is difficult to prove exactly whether, which and how often data flows out to the companies concerned, a certain mistrust is appropriate at this point. Especially as Xiaomi admits in its privacy policy quite blatantly that all data collected by its products is shared with certain third parties (more on this in the section “Privacy”).

Also typical for Xiaomi applications are the excessive logs and log outputs. In earlier versions, these logs also contained sensitive information such as account names and associated passwords and stored these externally on the SD card, where they were freely accessible to any other app. It’s not that bad in the current version, but much too much information is still revealed in logs and via the Android Logcat.

Strange: The .apk file of the Android application contains another .apk named “hack.apk”. Although it contains only one class with an empty constructor, such left-over relicts from development do not necessarily leave an impression of expert implementation.

 

Local and online communication

The UDP protocol is mainly used for the local communication between robot and app as well as between cloud and robot. In security-critical areas, we prefer TLS over TCP from a security point of view, as it provides adequate and secure encryption and is also protected against man-in-the-middle attacks if implemented correctly and completely. In the case of the Xiaomi robot, the actual payload in the UDP communication is additionally protected against read-only, but the weaknesses of the protocol remain.

In contrast to the robot itself, the application communicates almost exclusively via TCP, which is protected by TLS in a sufficiently up-to-date version. However, we could also observe multiple unsecured HTTP connections in the test, whereby user statistics including device ID were transferred.

Some of the secured TLS connections also showed weaknesses in the test. Due to an insufficient check of the presented server certificate on the app side, we were able to latch into some connections as man-in-the-middle and thus, for example, read the transmission of the cleaning map captured by the robot and sent to the cloud.

Successful Man-in-the-Middle attack on unsufficiently secured connection

 

Data Policy

The privacy statement linked to Google PlayStore refers to Xiaomi’s general privacy statement. The correct version can only be viewed after downloading or installing the corresponding app and applies to the entire Mi Home program of the Chinese manufacturer.

The TrustArc-certified privacy statement explains in clear words which data is collected by Xiaomi. These are comparatively lavish and are also reflected in the data traffic of the Roborock S55 – during the cleaning process, data constantly flows to the Chinese manufacturer. Whether the data collected by Xiaomi is necessary for operation can be questioned. In addition to providing, maintaining and improving services, personal data is also used for direct marketing.

Anonymous data is also used for other advertising purposes, and a lot of data is shared within the Xiaomi Group, the so-called Mi-Ecosystem.

 

Conclusion

The Xiaomi Roborock S55 is in and of itself a solid device, which should convince customers with its comparatively low price. Many minor technical weaknesses and the appropriate criticism in the area of data privacy nevertheless lead to a significant degradation.  Especially in comparison to the other representatives in the test, the Xiaomi robot cannot quite keep up and is rated with 1 out of 3 stars.