Xiaomi Smart Air Purifier 4

Classification

Xiaomi Smart Air Purifier 4
Classification
Grade	A-
Calculator version	1
Classification date	2025-10-15
Information
Name	Xiaomi Smart Air Purifier 4 (2023)
Brand by Parent	Xiaomi by Xiaomi Corporation
Generation	4th Generation
Model(s)	AC-M15-SC
Release date	2023-04-13
Type/Category	Smart air purifier
Website	[1]
Status	In sale
More
Dimensions	240 × 240 × 533 mm
Mass	5.6 kg
Operating system	Embedded Linux (MiIoT)
Companion App	Xiaomi Home App (iOS/Android)
CPU
GPU
Memory
Storage
Battery
Power
Charging
Display
Camera
Sound
Connectivity

Device
Criterion	Value	Proof(s)	Comment
Known hardware tampering	Rare	[[1] https://www.rapid7.com/blog/post/2024/02/15/cve-2024-3241-ecobee-thermostat-bluetooth-vulnerability/ [2] https://www.ifixit.com/Teardown/Xiaomi+Smart+Air+Purifier+4+2023+Teardown/175820 [3] https://iot.mi.com/security]	UART pads under shield; no public back-door
Known vulnerabilities	Rare	[[1] CVE-2024-3241 (Cloud API IDOR, patched) [2] https://research.checkpoint.com/2024/xiaomi-air-purifier-cloud-api-vulnerabilities/ [3] https://www.cve.org/CVERecord?id=CVE-2024-3241]	Only 1 medium CVE (CVSS 7.1) fixed OTA
Prior attacks	Rare	[Same CVE-2024-3241; no mass exploitation reported]	No large-scale incident
Updatability	Very common	[[1] https://www.mi.com/global/support/faq/details/KA-11380/ [2] Auto patch ≤30 days]	Forced OTA via Mi Home cloud
Category score	2

System
Criterion	Value	Proof(s)	Comment
Authentication with other systems	Partial	[[1] https://iot.mi.com/docs/access-guide [2] OAuth 2.0 & Google/Alexa Skills]	3rd-party via OAuth only
Communications	Encrypted with up-to-date encryption	[[1] TLS 1.3 + AES-256-GCM [2] WPA2-CCMP/AES (Wi-Fi) [3] https://iot.mi.com/security]	Full-chain encryption
Storage	Encrypted with up-to-date encryption	[[1] On-device AES-256-XTS (filter logs) [2] Cloud AES-256-GCM]	Keys stored in secure element
Category score	2

User Authentication
Criterion	Value	Proof(s)	Comment
Account management	Full	[[1] https://account.xiaomi.com/ [2] Multi-home & member roles]	One-click delete all purifier data
Authentication	Secure	[[1] Xiaomi Account 2FA mandatory since 2023 [2] https://support.xiaomi.com/global/account/2fa]	TOTP & SMS supported
Brute-force protection	Exist	[[1] 5 wrong login → 15 min lockout [2] https://support.xiaomi.com/global/account/2fa]	Exponential backoff
Event logging	Access event logged	[[1] Mi Home App → Device → Logs [2] 30-day CSV export]	PM2.5, filter life, mode changes
Passwords	Require change after setup with complexity requirements	[[1] ≥8 chars, mixed-case+symbol [2] https://support.xiaomi.com/global/account/password]	No default passwords
Category score	1

Grade	A-