The Hacker News Logo
Subscribe to Newsletter

Xiaomi Phones Secretly Sending Users' Sensitive Data to Chinese Servers

Xiaomi Phones Secretly Sending Users' Sensitive Data to Chinese Servers
Chinese telecoms equipment suppliers have previously been criticized by some countries due to suspected backdoors in its products, and if United States has banned its several major government departments, including NASA, Justice and Commerce Departments, from purchasing Chinese products and computer technology, then they are not wrong at all.

In the latest claim against Chinese smartphone manufacturers is the allegation that the popular Chinese smartphone brand, Xiaomi has been suspected of “secretly” stealing users’ information — including SMS messages and photos —from the device without the user's permissions and sending it back to a server in Beijing, despite of turning off the data backup functions, according to Apple Insider.

Security Researchers from F-Secure Antivirus firm has shown that the Xiaomi phones (RedMi 1S handset) send quite a lot of personal and sensitive data to "api.account.xiaomi.com"  server located in China, including following information:
  • IMEI Number of your phone
  • IMSI Number (through MI Cloud)
  • Your contacts and their details
  • Text Messages
China-based smartphone company Xiaomi recently marked a successful entry into the Indian market this month. Earlier this year, the company also announced its Redmi Note, which, just like Xiaomi’s other handsets, was an affordable with almost all features that an excellent smartphone provides. However, the handset might be doing more than what it has been advertised.

Kenny Li of Hong Kong forum, IMA Mobile, recently noticed something odd with its Redmi Note smartphone. He discovered that the device continued to make connections with IP addresses in Beijing, China. The device kept trying to make the connection, even after switching off the company's iCloud-like MiCloud service.

Although it was pointed out that the transmissions occur only over Wi-Fi, though the device does stay in contact with the servers via small "handshakes" while using cellular data. Li then tried erasing the version of Android and installed a new version of Android, But the problem still persisted.
Xiaomi Phones Secretly Sending Users' Sensitive Data to Chinese Servers

    Previously China has accused companies like Google, Facebook, Microsoft, and Apple for spying on countries. So, what China is doing? The same.

    Xiaomi, which is also known as Apple of China, has yet to respond to the allegations that the Redmi Note secretly sends user data to a China-based server.

    If the allegations on the Xiaomi handset come true, it wouldn't be the first time a Chinese smartphone was found spying on its users. It had happened before as well, China has been known for its Digital Spying and privacy invasion.

    Recently, a German security firm claimed that a popular Chinese Android Smartphone, the Star N9500, came pre-installed with a Trojan that could allow manufacturer to spy onto their users’ comprising their personal data and conversations without any restrictions and users knowledge.

    Later in mid-June, the breach on the Star N9500 could allow an attacker to record phone calls automatically, read emails and text messages, and remotely control the phone’s microphone and camera, in order to turn users’ smartphone into a bugging device that allows hackers to hear anything you are saying near by the phone. It could also be used for theft, including granting access to the user’s online banking service.

    UPDATE
    In a blogpost, Hugo Barra from Xiaomi company denies all the spying allegations made by F-Secure and other security experts.
    "MIUI does not secretly upload photos and text messages. MIUI requests public data from Xiaomi servers from time to time. These include data such as preset greeting messages (thousands of jokes, holiday greetings and poems) in the Messaging app and MIUI OTA update notifications, i.e. all non-personal data that does not infringe on user privacy." he said.
    Xiaomi's Mi Cloud Service is able to backup and manage users' personal information in the cloud, as well as can sync details with other devices.

    Hugo announced that from today users' will be able to turn OFF Mi Cloud Service manually from the device settings after getting new device updates from the company.
    "We have scheduled an OTA system update for today (Aug 10th) to implement this change. After the upgrade, new users or users who factory reset their devices can enable the service by visiting “Settings > Mi Cloud > Cloud Messaging” from their home screen or “Settings > Cloud Messaging” inside the Messaging app — these are also the places where users can turn off Cloud Messaging." he added.

    Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.
    SHARE
    Comments
    Latest Stories
    Best Deals

    Newsletter — Subscribe for Free

    Join over 500,000 information security professionals — Get the best of our cyber security coverage delivered to your inbox every morning.