Article: Yeelight spy light?


#1

https://medium.com/@slinafirinne/yeelight-the-bluetooth-led-bedside-lamp-from-xiaomi-that-spies-on-you-part-one-a651207c70bd

Might be worth some attention.


#2

Scanning wireless is because we support WiFi as well as Bluetooth.
Recording audio is because music mode is wanted by lots of users.
Camera is needed because of snap feature.
Logs are sent to China, because the default locale is China.

I can actually explain the point one by one, but I don’t think it deserve my time. The point is:
Nobody is important enough for us to spy on, if you don’t trust us, simply don’t buy our product. If same effort is spent on inspecting Facebook’s App, then I believe it will also be named Spyware.


#3

Yeelight’s PR may want to reach out to the author and Medium.com since this is the first of a two part piece. Readers not in the know may avoid Yeelight based on what’s written there.


#4

Dear Yeelight, you should consider suing the writer of the article for slander. This is just ridiculous, it’s slander of your good name out of spite. Off course the device would scan for Bluetooth and other things, that’s it’s job. Author Peadar’s job is probably to defame any successful Chinese brands.

He makes a point about the different information the lamp scans to work. Guess what, smart devices need to have certain information in order to work. Amazon Alexa, Google Home, Microsoft Cortana, Apple HomePod, they all need to listen to your audio constantly in order to listen to your commands. I don’t see Mr Peadar making a big fuss about that.

In fact I don’t see Mr Peadar making a big fuss about all the other apps and devices that we use daily by Google, Facebook, Apple etc etc.

No, he decided to pick on a good small company (small compared to Google etc), and see if he could get some clicks out of stirring the pot. It’s slander, pure and simple.

PS.
And no, I am not paid by Yeelight. In fact, I’ve happily paid for all my Yeelight products myself, because I freaking love them!


#5

Thanks for your support!
Actually we will deliver an official response to him and to the public to explain all the stuff he mentioned in his article.
Will also post the explanations here when we finished the translation.


#6

Good to know that


#7

Below are our responses regarding your questions about the Yeelight app.

1. Why would the Android application for Bluetooth LED lamp need to scan for Wi-Fi?
Aside from the Bedside Lamp, the Yeelight app supports many other devices, and is used across products that are Bluetooth-enabled, Wi-Fi enabled, and some that support both Bluetooth and Wi-Fi.

2. Regarding some of the permissions Yeelight app asks for:
● AUTHENTICATE_ACCOUNTS:This is to allow those using MIUI to automatically log in to their Xiaomi accounts on the Yeelight app.

● DOWNLOAD_WITHOUT_NOTIFICATION:This is used for downloading the Bluetooth device firmware, so users won’t see the download process in the notification bar. This implementation is common across products in the IoT space.

● ACCESS_COARSE_LOCATION:From Android 6.0 onwards, apps must have the ACCESS_FINE_LOCATION or ACCESS_COARSE_LOCATION permissions to access the hardware identifiers of nearby external devices via Bluetooth and Wi-Fi scans (https://developer.android.com/about/versions/marshmallow/android-6.0-changes.html). This is therefore necessary for the Yeelight app to add devices.

â—Ź KILL_BACKGROUND_PROCESSES; GET_TASKS: The app consists of many processes, some running in the background. These permissions allow the Yeelight app to manage these processes, and avoid situations where the system stops a necessary process.

â—Ź RECORD_AUDIO: Some Wi-Fi products supported by the Yeelight app come with a feature that allows the product to respond to music. To use this feature, the app needs this permission to turn on the microphone. This is not used for the Bluetooth-only products.

3. Code showing SSID and MAC address
The code is part of MtaSDK, which is a Mobile App Analytics tool, used to improve software quality. This tool is part of a third-party library used in the Yeelight app to enable integration with WeChat. However, the data analytics interface is never used in the Yeelight app so no data will be collected.

4. Regarding code with the terms “newtorkId”, “ssid”, “bssid”, “password”
The Yeelight app supports various Wi-Fi-enabled products. When a user sets up such a device, the device goes into AP mode, which means it becomes an access point which the Yeelight app searches for, so it can connect to the device easily. This is not used to search for surrounding SSIDs from routers.

5. Regarding XMPushService:
This is part of the Android MiPush SDK, which is used to notify users about changes in the device.

6. Regarding LogCollectionService
As the user correctly observed, there was no log upload associated with the code seen here. This feature will not, under any circumstances, upload log files without the knowledge of the user. This feature is only used in debug mode, and is used for internal testing.

7. Regarding audio recording
As mentioned in the permissions explanation above, some Yeelight Wi-Fi products use the mic on the smartphone to respond to music. However, the Yeelight app DOES NOT record audio upon startup. The screenshot provided appears to be showing a Google service trying to record audio and failing to do so (ErrorProcessor: Caused by: com.google.android.apps.gsa.shared.exception.GsaIOException), and not the Yeelight app.

You can also get these response from https://medium.com/@yeelight/hi-peadar-thank-you-for-your-mail-to-us-87e7e279e129 .

Thanks!
Yeelight


Why so much? (Software permission)
#8

If you looking for spy camera you might check https://cosyhousehold.com/best-spy-camera/
to get a general opinion of what you looking for and make up your mind to buy a decent one.