[Klathmon]

I don't think it's a "hidden threat" as much as it is a company racing to the bottom first.

Xiaomi has consistently shown that they don't care about security (or at least consistently enough that they have lost my trust).

[O_H_E]

I want to believe this, but I have never seen something about Xiaomi/security. Can you please give some pointers/links/events that happened before

[Klathmon]

I don't have any links on hand, but I know of a handful of situations that I remember:

* Xiaomi android phones had some kind of analytics APK built in around 2016 that would send a shitload of data over HTTP to their servers, and even would allow downloading emergency updates over HTTP. Their "fix" was to enable HTTPS, but leave the ability to force downloads and continue to run the analytics programs on the phones.

* Their robot vacuum used a password of "robotrock" to encrypt and sign updates.

* Their "yeelight" smart-bulbs were recording audio and sending them back to their servers over HTTP.

* Their "air purifier" also sends analytics and does updates via HTTP without any signatures.

IIRC many of these were fixed at some point, but I know at least once they said (paraphrasing) "we aren't going to fix it because the device isn't capable of HTTPS", but I don't remember which device it was. And it's enough for me to understand that they don't seem to take data privacy and security very seriously at all.