Xiaomi Mi Smart Home Hub
From Wiki-IoT
Classification
| Xiaomi Mi Smart Home Hub | |
|---|---|
| Classification | |
| Grade | C |
| Calculator version | 1 |
| Classification date | 2025-10-20 |
| Information | |
| Name | Xiaomi Mi Smart Home Hub (3rd gen) |
| Brand by Parent | Xiaomi by Xiaomi Corporation |
| Generation | 3rd |
| Model(s) | DGNWG05LM |
| Release date | 2020-10-01 |
| Type/Category | Smart-home gateway / ZigBee & Wi-Fi hub |
| Website | [1] |
| Status | In sale |
| More | |
| Dimensions | 90 × 90 × 20 mm |
| Mass | 133 g |
| Operating system | OpenWrt-based MiWi (Linux 3.10) |
| Companion App | Mi Home (iOS/Android) |
| CPU | MIPS 24KEc @ 580 MHz (MT7621A) |
| GPU | None |
| Memory | 128 MB DDR3 |
| Storage | 256 MB NAND flash |
| Battery | None (5 V mains) |
| Power | 5 V ⎓ 1 A via micro-USB |
| Charging | micro-USB (no battery) |
| Display | 1 RGB LED ring |
| Camera | None |
| Sound | 1 speaker for voice prompts |
| Connectivity | Wi-Fi 4 (802.11 b/g/n) 2.4 GHz, ZigBee 3.0, Bluetooth LE, Ethernet |
| Device | |||
|---|---|---|---|
| Criterion | Value | Proof(s) | Comment |
| Known hardware tampering | Rare | [2] | UART pins present but under epoxy; case requires prying |
| Known vulnerabilities | Very common | [3] | Unauth remote code execution in MiWi UPnP stack |
| Prior attacks | Rare | [4] | No large-scale botnet recorded yet |
| Updatability | Rare | [5] | OTA pushed only in China ROM; global ROM updates delayed ~6 months |
| Category score | 3 | ||
| System | |||
|---|---|---|---|
| Criterion | Value | Proof(s) | Comment |
| Authentication with other systems | Partial | [6] | Mi-Account login only; no 2FA for hub itself |
| Communications | Encrypted with obselete encryption | [7] | TLS 1.1, weak cipher suites, MiCA cert hardcoded |
| Storage | Encrypted with obselete encryption | [8] | Config partition encrypted with AES-ECB, key derivable from firmware |
| Category score | 2 | ||
| User Authentication | |||
|---|---|---|---|
| Criterion | Value | Proof(s) | Comment |
| Account management | Full | [9] | Mi-Account supports family sharing, roles, revocation |
| Authentication | Basic | [10] | Mi-Account username+password; no 2FA for gateway |
| Brute-force protection | Basic | [11] | Mi-Account has CAPTCHA & lock-out; hub itself has none |
| Event logging | Partial logging | [12] | App shows device join/leave; no syslog export or failed-auth log |
| Passwords | Require change after setup | [13] | Mi-Account forces first-login password change; complexity rules applied |
| Category score | 2 | ||
| Grade | C |
|---|
