Xiaomi smartphones black listed

The Indian Air Force(IAF) has issued a circular to its 175,000 personnel to shun the use of Xiaomi smartphones either by them, or their family members on suspicions that the company is using their phones to spy on its users on behalf of the Chinese government.

Spying Charges

In August this year, F-secure released reports that they had found proof that Xiaomi handsets were sending data back to its company servers in China. They weren’t the first to figure it out though, a user named Kenny Li wrote in a Hong Kong forum that his Xiomi RedMi Note was sending pictures and messages to servers in China. Initially, the claim was refuted by saying that this was data being sent to the cloud backup servers. It was allegedly just a coincidence that the servers were located in China. To be fair, the service provider is allowed to decide on the location where backup data should be stored.

Therefore, this user decided to root his phone and install a different ROM. and he still found data being sent to the same servers. This meant that it wasn’t the cloud service, but the phone hardware that was sending the data back to somebody who was really interested in collating such data.

The Report

F-Secure published a report in August stating that the Xiaomi RedMi 1S “sent the telco name to the server api.account.xiaomi.com. It also sent IMEI and phone number to the same server. The phone number of the contacts added to the phone book and also from SMS messages received was also forwarded.”
 
The points that Xiaomi used to refute the claims were that the cloud backup feature was turned on by default. Users did not have to opt-in. Therefore this data was automatically sent to the servers. And this was being mistaken for spying.  “Xiaomi is serious about user privacy and takes all possible steps to ensure our internet services adhere to our privacy policy. We do not upload any personal information and data without the permission of users. MIUI requests public data from Xiaomi servers from time to time. These include data such as preset greeting messages in the messaging app and MIUI OTA update notifications, all non-personal data that does not infringe on user privacy,” clarified Xiaomi. But this still doesn’t explain why IMSI and text messages where being sent to the cloud. Surely, these details don’t need to be backed up.



 

Fallout of the report

As a result of all the bad publicity generated by the spying claims, Xiaomi released an over the air update which ceased the sending of user data to their cloud service. Xiaomi also claims to have started moving data of users not based in China to Amazon cloud servers in the US and to a data center in Singapore.
Su Gim Goh, Security Advisor, APAC, F-Secure, confirmed in an exclusive interaction with IndianExpress.com that Xiaomi has rectified the privacy issues raised by it. “The entire privacy issue was related to Xiaomi’s cloud messaging service. Previously, the cloud service got activated by default without asking for the user’s permission. So, related personal data were sent from the phone to Xiaomi’s servers in China. After we alerted about this privacy concern, Xiaomi has made the cloud service as an opt-in feature and not by default, said Goh.

 

So, why did Indian Air Force issue a notification against using Xiaomi phones?

The Sunday Standard recently reported  that the Indian Air Force (IAF) has notified its 1,75,000 personnel and their family members not to use Xiaomi smartphones on account of ‘spying’. The report said the IAF alert was based on the inputs from CERT-In, India’s premier cyber watchdog.

What’s surprising is that the IAF notification seems to be hinting on the same report released by F-Secure in August to which the software security company had already confirmed that Xiaomi has rectified the issue and the company no longer breaches privacy.

Now, there can be two situations- either, the privacy problem with Xiaomi has returned or the IAF notification is based on older reports. We believe it to be the latter, as no new reports have surfaced since the F-Secure clarification in September.

 But one question still tingles in my head. It was proven (nearly beyond doubt) that the fault lied in the hardware. What if Xiaomi just hid the working of the hardware from the user in this update and did not actually stop spying ? Apple has managed to create a backdoor into every iPhone and the user has no way of finding out about it.
 
The notification by the IAF may be based on an old report, but who’s to say the problem doesn’t still persist ?  This negative publicity is going to hurt Xiaomi bad in its next splash sale on Flipkart.

LEAVE A REPLY

Please enter your comment!
Please enter your name here