Black‑Box Probing Reveals Potential Weaknesses in Xiaomi’s MJA1 Secure Chip Used in Consumer Cameras
What Happened — Researchers at Quarkslab performed a black‑box analysis of Xiaomi’s proprietary MJA1 secure element, used in the BW300 outdoor camera and its base station. By sniffing I²C traffic, dumping flash memory, and reverse‑engineering firmware, they mapped the chip’s command protocol and identified undocumented commands that could be brute‑forced.
Why It Matters for Compliance & Audit Readiness
- The discovery shows that a “hardware‑level protection” claim may not translate into verifiable security controls, a gap SOC 2 auditors will probe under the System Operations and Risk Management criteria.
- Continuous evidence collection (e.g., firmware hash monitoring, secure boot validation) is essential to demonstrate that device‑level controls remain intact over time.
- Mapping the chip’s command set provides the concrete artifact needed for a Control Mapping audit trail, turning a black‑box risk into documented evidence.
Who Is Affected — Consumer‑electronics manufacturers, IoT device vendors, and enterprises that deploy Xiaomi cameras in corporate environments (retail, education, healthcare, etc.).
Recommended Actions
- Incorporate firmware integrity checks (hashes, signatures) into your continuous compliance monitoring platform.
- Map the discovered command set to your SOC 2 CC6.1 – System Operations control and collect evidence of mitigation (e.g., firmware signing, restricted I²C access).
- Conduct a hardware‑security risk assessment for any third‑party secure elements lacking public documentation.
Source: Quarkslab Blog – Black Box Probing of Xiaomi MJA1 Secure Chip
Technical Notes
- Attack vector: hardware‑level reverse engineering via I²C sniffing and flash dumping.
- No CVE assigned yet; the analysis reveals undocumented commands that could be brute‑forced.
- Data types at risk: cryptographic keys stored on the chip, device configuration, and any user‑generated video/audio streams.