Xiaomi logo and smartwatch wear on hand

Security researcher Sergei Volokitin has unveiled significant hardware vulnerabilities found in Xiaomi devices, including the S3 smartwatch, during a presentation at a prominent cybersecurity conference.

This research was part of a collaborative security event where researchers and vendors come together to identify and address vulnerabilities in consumer electronics.

The investigation took place during the conference’s “Hard Pwn” event in November 2024, where independent security researchers gathered to scrutinize various consumer devices for potential weaknesses.

Held annually in the Netherlands and the United States, the event fosters collaboration among security experts and device manufacturers, focusing on enhancing hardware security.

Xiaomi logo and smarthwatch wear on handXiaomi logo and smarthwatch wear on hand

Throughout the multi-day event, researchers utilized professional-grade equipment, such as soldering irons, heat guns, and oscilloscopes, to conduct their hardware analyses.

This format allows security experts to work directly with vendor representatives to identify vulnerabilities and report findings that can improve device security.

Xiaomi Smartwatch Hacked The 2024 event specifically highlighted Xiaomi products, including Mi Band fitness trackers, smartwatches, headphones, and other consumer electronics. Previous years have featured similar collaborative security assessments of devices from major tech companies, including Meta’s Oculus products and Google’s Nest ecosystem.

Sergei Volokitin, who specializes in low-level security analysis and conducts independent security research alongside bug bounty work and security consultancy, focused on two primary Xiaomi devices during the event.

Initially, the researcher examined an outdoor camera system and discovered that recorded footage was stored in plain text format on the device’s file system, allowing potential attackers to recover video content.

The camera analysis revealed further security concerns beyond unencrypted storage. The researcher found that security tokens used for backend communication were stored in easily accessible locations on the device’s file system.

These tokens could be exploited by attackers who gain physical access to the device. Both vulnerabilities were reported to Xiaomi, and the company acknowledged the findings.

smartwatch using and background have laptopsmartwatch using and background have laptop

After the camera research, the security expert turned their attention to Xiaomi’s S3 smartwatch, noting that the device posed intriguing security challenges due to its limited support for third-party applications.

The researcher explained that modern smartwatches function similarly to smartphones with restricted capabilities but still manage sensitive user data, including text notifications, calendar information, fitness and health metrics, and payment card data for contactless transactions.

The smartwatch also supports Bluetooth connectivity for phone integration and NFC capabilities for payments and device unlocking features with Xiaomi smartphones. This combination of sensitive data access and multiple connectivity options makes such devices appealing targets for security research.

The research underscores the growing importance of hardware security in consumer electronics, particularly for devices that users carry daily and may lose or have stolen.

Unlike stationary devices in secure environments, wearable technology faces unique security challenges due to its portable nature and the sensitive personal data it stores and processes.

The collaborative approach demonstrated at HardPwn reflects an industry trend toward proactive security research, where manufacturers work directly with security researchers to identify and address vulnerabilities before malicious actors can exploit them.

This partnership model facilitates responsible disclosure and security enhancements that benefit all users of these increasingly connected devices.