F-Secure discovered Xiaomi handset spying on users’data

Experts at F-Secure security firm analyzing the new Xiaomi RedMi 1S discovered that it sends out to a server located in China a lot of user’s data.

Security experts at F-Secure security firm has conducted a series of analysis on the new Xiaomi RedMi 1S and to verify the alleged presence of hidden data stealer components. The researchers confirmed that the devices send an impressive amount of users’data to “api.account.xiaomi.com“, a server located in China. The information transferred by the Xiaomi device includes:

A couple of months ago, a report issued by the Nanjing-based Yangtse Evening News stated that smartphones produced by Chinese Xiaomi are able to steal bank card data from wireless connections.

On the forum IMA Mobile recently was reported that Redmi Note smartphones continually make connections with IP addresses in Beijing, China, even if users turn off the iCloud-like service named MiCloud.

The experts noticed that the Xiaomi was transmitting only when the handset was connected to a WiFi network, they also noticed that also erasing the pre-installed Android distribution the anomalous and worrying behavior still persisted.

In a blogpost, Hugo Barra from Xiaomi denied all the allegations made by F-Secure.

“MIUI does not secretly upload photos and text messages. MIUI requests public data from Xiaomi servers from time to time. These include data such as preset greeting messages (thousands of jokes, holiday greetings and poems) in the Messaging app and MIUI OTA update notifications, i.e. all non-personal data that does not infringe on user privacy.” Barra said.

To the question: “Does Xiaomi upload any personal data without my knowledge?” he replied:

Xiaomi offers a service called Mi Cloud that enables users to back up and manage personal information in the cloud, as well as sync to other devices.  This includes contacts, notes, text messages and photos. Mi Cloud is turned off by default.  Users must log in with their Mi accounts and manually turn on Mi Cloud.  They also have the option to only turn on backup for certain types of data. The use and storage of data in Mi Cloud fully respects the local laws of each country and region.  Strict encryption algorithms are implemented to protect user privacy. 

The expert refers to the Xiaomi’s Mi Cloud Service as the service used by the company to backup personal information in the cloud. Hugo announced that from today users’ will be able to turn OFF Mi Cloud Service manually from the mobile device.

“We have scheduled an OTA system update for today (Aug 10th) to implement this change. After the upgrade, new users or users who factory reset their devices can enable the service by visiting “Settings > Mi Cloud > Cloud Messaging” from their home screen or “Settings > Cloud Messaging” inside the Messaging app — these are also the places where users can turn off Cloud Messaging.” he added.

Hugo Xiaomi highlight that Xiaomi considers that user’s privacy seriously and takes all possible steps to protect it.

Xiaomi is considered a young giant of mobile manufacturers, if the allegations on the Xiaomi handset come true it could be the second time that a Chinese smartphone was found spying on user’s data, recently security experts at German G Data claimed that the popular Chinese Android Smartphone Star N9500 comes with a pre-installed  spyware.

Stay Tuned for further details on the case.

Pierluigi Paganini

(Security Affairs –  Xiaomi, cyber espionage)