A recent cybersecurity report highlights the backdoors in Xiaomi phones, through which private user data is being ferried to Alibaba cloud servers. The man behind the discovery is Gabriel Cirlig, a veteran web security researcher. He shared his worrisome finding with the Forbes.
Let’s see what it’s all about and how Xiaomi responded.
The backdoor
“A backdoor with phone functionality,” is what Gabriel Cirlig called the exploit, while talking to Forbes.
Although he snooped in his personal Redmi Note 8 at first, the same issue was later identified within other Xiaomi phones like Mi 10, Redmi K20, and Mi MIX 3.
He noticed the following data being recorded and sent to 3rd party cloud servers:
- His Google searches (even incognito) and other web activity on Xiaomi browser
- Every item viewed on the Xiaomi news feed
- His interaction with MIUI launcher, settings and file manager.
These were being sent to remote servers in Singapore and Russia, though the Web domains they hosted were registered in Beijing. Not just that, Xiaomi apps were also sending data to domains that appeared to reference Sensor Analytics (more on that later).
Furthermore, another cybersecurity researcher named Andrew Tierney also corroborated Cirlig’s findings. He identified both Mi Browser Pro and the Mint Browser as the culprits. These are popular apps with a combined downloads of about 15 million on the Google Play Store.
Cirlig and Tierney mentioned – how Xiaomi was collating “data about the phone, including unique numbers for identifying the specific device and Android version something which could easily be correlated with an actual human behind the screen”.
ALSO READ: Apple iPhone 12 series expected prices
Xiaomi’s response
Xiaomi refutes the allegations saying that “The research claims are untrue”, “Privacy and security are of top concern” and that they “are fully compliant with local laws and regulations on user data privacy matters.”
It underlines the fact that its users had agreed to such tracking.
When users open the app for the very first time, they are displayed a big pop-up window seeking permission for data collection. This is something most smartphone users must be aware of as its a ubiquitous thing. Every app does it.
As for Sensor Analytics, Xiaomi says the firm “provides a data analysis solution for Xiaomi,” and the collected anonymous data is “stored on Xiaomi’s own servers and will not be shared with Sensor Analytics, or any other third-party companies.”
ALSO READ: MIUI 12 Features and Eligible Devices List
A closing note of caution
While Xiaomi claims the data sent to cloud servers as encrypted, Cirlig says he could easily crack the same in a matter of few seconds. Hmm!
In Xiaomi’s defense, every company collects and harvests data. It’s at least upfront about it. Their business model is less focussed on hardware margins and more on revenue from data and ads.
But then there is the point which Cirlig raises:
“My main concern for privacy is that the data sent to their servers can be very easily correlated with a specific user.”
He piles on the warning when he warns millions of other users could also be affected. And every one of those users might not be cool with their private data being recorded and shared.
