Aqara Hub Privacy Violation Vulnerability in Data Upload Process

A vulnerability exists in Aqara Hub devices, including the Camera Hub G3, Hub M2, and Hub M3, all of which automatically collect and upload unencrypted sensitive user information to AWS servers without the user's consent or knowledge. This data transfer occurs daily through a process called 'hub_backup', which is not disclosed in the Privacy Notice and cannot be disabled by users. The uploaded information includes device IDs, passwords, wireless network identifiers that can be used to geolocate users, CoAP encryption keys, complete device configurations, paired device information, system properties, storage files, Zigbee coordinator details, HomeKit Accessory Protocol data, and user account data and automation rules.

Impact

This vulnerability leads to unauthorized data exfiltration, including sensitive user information and device-specific data, which could be exploited for privacy violations and potential impersonation attacks on the devices.

Reproduction

To reproduce this vulnerability, set up an Aqara Hub device on a local network. Monitor the network traffic to regional AWS servers, such as those in the US West (Oregon) region. Observe the daily automated uploads containing sensitive configuration data, noting that device owners cannot disable this upload.

Remediation

Users can update to Aqara Hub M2 and M3 firmware version 4.3.8, released via OTA on August 28, 2025. For the Camera Hub G3, a compatible firmware version was released on October 20, 2025.