What's new

[Warning] Xiaomi is Spying on You

striver44

BANNED
Joined
Jul 25, 2016
Messages
4,832
Reaction score
-16
Country
Indonesia
Location
Indonesia
Exclusive: Warning Over Chinese Mobile Giant Xiaomi Recording Millions Of People’s ‘Private’ Web And Phone Use


Thomas Brewster
Forbes Staff
Cybersecurity

Associate editor at Forbes, covering cybercrime, privacy, security and surveillance.
960x0.jpg



Commuters pass by Xiaomi Note 10 Pro smartphone[+]

BUDRUL CHUKRUT/SOPA IMAGES/LIGHTROCKET VIA GETTY IMAGES

“It’s a backdoor with phone functionality,” quips Gabi Cirlig about his new Xiaomi phone. He’s only half-joking.

Cirlig is speaking with Forbes after discovering that his Redmi Note 8 smartphone was watching much of what he was doing on the phone. That data was then being sent to remote servers hosted by another Chinese tech giant, Alibaba, which were ostensibly rented by Xiaomi.

The seasoned cybersecurity researcher found a worrying amount of his behavior was being tracked, whilst various kinds of device data were also being harvested, leaving Cirlig spooked that his identity and his private life was being exposed to the Chinese company.

When he looked around the Web on the device’s default Xiaomi browser, it recorded all the websites he visited, including search engine queries whether with Google or the privacy-focused DuckDuckGo, and every item viewed on a news feed feature of the Xiaomi software. That tracking appeared to be happening even if he used the supposedly private “incognito” mode.

The device was also recording what folders he opened and to which screens he swiped, including the status bar and the settings page. All of the data was being packaged up and sent to remote servers in Singapore and Russia, though the Web domains they hosted were registered in Beijing.

Meanwhile, at Forbes’ request, cybersecurity researcher Andrew Tierney investigated further. He also found browsers shipped by Xiaomi on Google Play—Mi Browser Pro and the Mint Browser—were collecting the same data. Together, they have more than 15 million downloads, according to Google Play statistics.

Many more millions are likely to be affected by what Cirlig described as a serious privacy issue, though Xiaomi denied there was a problem. Valued at $50 billion, Xiaomi is one of the top four smartphone makers in the world by market share, behind Apple, Samsung and Huawei. Xiaomi’s big sell is cheap devices that have many of the same qualities as higher-end smartphones. But for customers, that low cost could come with a hefty price: their privacy.

Cirlig thinks that the problems affect many more models than the one he tested. He downloaded firmware for other Xiaomi phones—including the Xiaomi MI 10, Xiaomi Redmi K20 and Xiaomi Mi MIX 3 devices. He then confirmed they had the same browser code, leading him to suspect they had the same privacy issues.

And there appear to be issues with how Xiaomi is transferring the data to its servers. Though the Chinese company claimed the data was being encrypted when transferred in an attempt to protect user privacy, Cirlig found he was able to quickly see just what was being taken from his device by decoding a chunk of information that was hidden with a form of easily crackable encoding, known as base64. It took Cirlig just a few seconds to change the garbled data into readable chunks of information.

“My main concern for privacy is that the data sent to their servers can be very easily correlated with a specific user,” warned Cirlig.

Xiaomi’s response

In response to the findings, Xiaomi said, “The research claims are untrue,” and “Privacy and security is of top concern,” adding that it “strictly follows and is fully compliant with local laws and regulations on user data privacy matters.” But a spokesperson confirmed it was collecting browsing data, claiming the information was anonymized so wasn’t tied to any identity. They said that users had consented to such tracking.

But, as pointed out by Cirlig and Tierney, it wasn’t just the website or Web search that was sent to the server. Xiaomi was also collecting data about the phone, including unique numbers for identifying the specific device and Android version. Cirlig said such “metadata” could “easily be correlated with an actual human behind the screen.”

Xiaomi’s spokesperson also denied that browsing data was being recorded under incognito mode. Both Cirlig and Tierney, however, found in their independent tests that their web habits were sent off to remote servers regardless of what mode the browser was set to, providing both photos and videos as proof.

When Forbes provided Xiaomi with a video made by Cirlig showing how his Google search for “****” and a visit to the site PornHub were sent to remote servers, even when in incognito mode, the company spokesperson continued to deny that the information was being recorded. “This video shows the collection of anonymous browsing data, which is one of the most common solutions adopted by internet companies to improve the overall browser product experience through analyzing non-personally identifiable information,” they added.

Both Cirlig and Tierney said Xiaomi’s behavior was more invasive than other browsers like Google Chrome or Apple Safari. “It’s a lot worse than any of the mainstream browsers I have seen,” Tierney said. “Many of them take analytics, but it’s about usage and crashing. Taking browser behavior, including URLs, without explicit consent and in private browsing mode, is about as bad as it gets.”

Cirlig also suspected that his app use was being monitored by Xiaomi, as every time he opened an app, a chunk of information would be sent to a remote server. Another researcher who’d tested Xiaomi devices, though was under an NDA to discuss the matter openly, said he’d seen the manufacturer’s phone collect such data. Xiaomi didn’t respond to questions on that issue.

‘Behavioral Analytics’

Xiaomi appears to have another reason for collecting the data: to better understand its users’ behavior. It’s using the services of a behavioral analytics company called Sensors Analytics. The Chinese startup, also known as Sensors Data, has raised $60 million since its founding in 2015, most recently taking $44 million in a round led by New York private equity firm Warburg Pincus, which also featured funding from Sequoia Capital China. As described in Pitchbook, a tracker of company funding, Sensors Analytics is a “provider of an in-depth user behavior analysis platform and professional consulting services.” Its tools help its clients in “exploring the hidden stories behind the indicators in exploring the key behaviors of different businesses.”

Both Cirlig and Tierney found their Xiaomi apps were sending data to domains that appeared to reference Sensors Analytics, including the repeated use of SA. When clicking on one of the domains, the page contained one sentence: “Sensors Analytics is ready to receive your data!” There was an API called SensorDataAPI—an API (application programming interface) being the software that allows third parties access to app data. Xiaomi is also listed as a customer on Sensors Data’s website.

The founder and CEO of Sensors Data, Sang Wenfeng, has a long history in tracking users. At Chinese internet giant Baidu he built a big data platform for Baidu user logs, according to his company bio.

Xiaomi’s spokesperson confirmed the relationship with the startup: “While Sensors Analytics provides a data analysis solution for Xiaomi, the collected anonymous data are stored on Xiaomi’s own servers and will not be shared with Sensors Analytics, or any other third-party companies.”

It’s the second time in two months that a huge Chinese tech company has been seen watching over users’ phone habits. A security app with a “private” browser made by Cheetah Mobile, a public company listed on the New York Stock Exchange, was seen collecting information on Web use, Wi-Fi access point names and more granular data like how a user scrolled on visited Web pages. Cheetah argued it needed to collect the information to protect users and improve their experience.

Late in his research, Cirlig also discovered that Xiaomi’s music player app on his phone was collecting information on his listening habits: what songs were played and when.

One message was clear to the researcher: when you’re listening, Xiaomi is listening, too.

Get the best of Forbes to your inbox with the latest insights from experts across the globe.

Follow me on Twitter. Check out my website. Send me a secure tip.



Thomas Brewster

I'm associate editor for Forbes, covering security, surveillance and privacy.
 
. . . . .
Coronavirus have gone to these goons head if they had some brain in the first place and they are coming out from under the woodwork from the places no one can even imagine. Even smallest retail companies are tracking customers what we buy or what web site we visit and what we are looking for, that's why we receive their ads from all directions. This so called expert which we never heard of must be living on the different planet till now that his browsing history is revelation for him.
My Chinese brothers you got away for too long as yesterday we were the whipping boys today you are the new kids on the block. New phobia of anti Chinese's and its spewing from all over the place especially with the blessing of US and Western governments and on daily basis stories are being planted. It will be easy just simply promise Trump $50 billion for his election campaign so he can leave you alone lol.
 
.
The question is, how can Xiaomi be a spy?
The chip belongs to Qualcomm, an American company.
The operating system is Google Android, an American company.
Google search, Facebook, YouTube, WHATSAPP on your phone,They are all American software.
What ways does MI carry out espionage activities?
How?

View attachment 629002 View attachment 629003
After changing his head portrait, he worked harder.
 
Last edited:
. . .
The question is, how can Xiaomi be a spy?
The chip belongs to Qualcomm, an American company.
The operating system is Google Android, an American company.
Google search, Facebook, YouTube, WHATSAPP on your phone,They are all American software.
What ways does MI carry out espionage activities?
How?
Its easy to crack Android. Just like we crak window 10 easily and even put spyware on win 10.
 
. .
Buy Vietnam phones
This is a defense forum, don't you think promoting Viet weapons would be more appropriate, there might be some decision maker from their armed forces in this forum.
 
. .
if this logic is considered world should stop using internet and technology items like pcs and smart phone and go back to 1980s as this is only way to remain safe from spying,even if they are spying they are less threat than u.s as china not has intelligence network like cia spread in all world or military bases who are more capable of killing or abducting any person on the basis of information obtained from spying like they do in drone attacks across different countries by using false excuse of war on terror

 
Last edited:
.
The question is, how can Xiaomi be a spy?
The chip belongs to Qualcomm, an American company.
The operating system is Google Android, an American company.
Google search, Facebook, YouTube, WHATSAPP on your phone,They are all American software.
What ways does MI carry out espionage activities?
How?
Ever heard of skins? Its a proprietary layer of smartphone's OEM provided built in. In case of Xiaomi, its skin called 'MIUI'. Very few OEMs provide vanilla(pure Android) experience.

Not saying that Xiaomi is spying on you, just telling you that it's possible to spy.


It's not like Google's android wasn't spying on us already pfff.

If you are enjoying a service for free then YOU ARE THE PRODUCT.
 
.
Back
Top Bottom