Xiaomi smartphones aren’t as innocent as they look. While the world (led by the US) waves a stern finger at Huawei, alleging the presence of backdoors for the Chinese government to spy on foreign users, a seasoned cybersecurity researcher has found smartphones manufactured by Xiaomi are “backdoors with phone functionality,”
As reported by Forbes, a security researcher discovered his Redmi Note 8 has been monitoring almost everything he did on the smartphone and sent the data to remote servers owned by Chinese giant, Alibaba. The researcher found disturbing amounts of usage being tracked and data being harvested using a shoddy encrpyption standard, that can be easily decoded to plain text and leave individual identities exposed.
Gabi Cirlig, a noted security researcher found his Redmi device was recording all the websites he visited using the default Xiaomi browser, including his search engine queries on Duck Duck Go and Google. All the items viewed in the news feed, as well as activities in the ‘incognito mode’. Furthermore, he found the device was monitoring the folders he opened, the screens he swiped to (even the status bar and Settings page) and all the data was being sent to servers in Singapore and Russia, owned by Alibaba and rented by Xiaomi.
Forbes also reached out to another cybersecurity specialist Andrew Tierney who confirmed the massive data leak happening out of Xiaomi smartphones. He found the same tracking code in Xiaomi browsers available on Google Play Store that have over 15 million downloads.
While only the Redmi Note 8 was caught red-handed harvesting user data, firmware for the new Mi 10, Redmi K20, and the MI Mix 3 also had the same browser code, proving the expensive flagships aren’t quite innocent either.
Forbes reported that even the way Xiaomi is sharing the data is suspicious. Upon reaching out to Xiaomi, the publication learnt the data was being encrypted when transferring to protect user privacy. However, the researcher was quickly able to decode a chunk of information because the encryption standard followed can be cracked easily. It reportedly took him only a few seconds to see what was behind the encryption. The report claims Xiaomi uses Base64 encryption standard, something that has been known to be intercepted by malicious players and decoded into plain text without much of a hassle. This leaves millions of Xiaomi users at risk of their data being stolen and used for frauds and scams.
“My main concern for privacy is that the data sent to their servers can be very easily correlated with a specific user,” the researcher told Forbes.
Xiaomi denied the allegation in a statement to Forbes. claiming the research is flawed and added privacy and security are top concerns for the company. A spokesperson did confirm, however, that the devices are collecting browser data but the information was anonymized so that it can’t be tied to an individual. The spokesperson also said users have consented to such tracking.
Xiaomi also cited ‘behavioural analytics’ as a reason for harvesting user data. The company is using the services of a behavioural analytics startup called “Sensors Analytics”, based out of China. The domains where the data is being sent to have references to the company, with an API present in the phone to facilitate the harvesting.
That Xiaomi and Sensor Analytics are working together is confirmed by the Xiaomi spokesperson. The startup even has Xiaomi listed under its client list. However, the spokesperson maintained that the data is only stored on servers owned by Xiaomi and not shared with Sensor Analytics or any other third-party companies.
We have reached out to Xiaomi independently to enquire about the allegations, and as of publishing the article, the company is yet to get back with an official statement.
UPDATE:
Xiaomi released a statement to Digit.in claiming the research done by Forbes is flawed. and that they misunderstood the communication explaining the companie's data privacy principles. Here's the statement –
"Xiaomi was disappointed to read the recent article from Forbes. We feel they have misunderstood what we communicated regarding our data privacy principles and policy. Our user’s privacy and internet security is of top priority at Xiaomi; we are confident that we strictly follow and are fully compliant with local laws and regulations. We have reached out to Forbes to offer clarity on this unfortunate misinterpretation."
The company also wrote out a detailed blog post explaining its side of the story. We have broken it down for you here.
UPDATE 2:
Xiaomi has issued an update to the Mi Browser, Mi Browser Pro and Mint Browser app on Google Play which includes an option to opt out of aggregated data collection in incognito mode.
"We thank you all for your attention, suggestions and dedication during the past few days to further improving the overall user experience of our products and services," Xiaomi wrote in its blog.