Deny, Diminish, Destroy- Xiaomi’ Answer to Security Problems

3

November 19, 2014 by ...

Xiaomi has been needled in the press over security concerns. Some of this has to do with the legacy of distrust surrounding Chinese cell phone manufacturers. Companies such as Huawei have been linked to the communist party and accused of espionage, a thing they deny. It his hard to take them at their word, however, when one considers that they allegedly hacked the emails of South Sudanese government officials and forged emails from them. Such acts prove anything but Huawei’s commitment to privacy and integrity.

Of course that is Huawei and not Xiaomi, but generalizations being what they are, Xiaomi will undergo more scrutiny than companies from other parts of the world. Xiaomi’s Lei Jun should understand this based on his IT background, but it seems as if he does not.

Xiaomi, short history of international sales, growing history of data theft

In Xiaomi’s short history they have done little to dispel security concerns surrounding their kit. In fact, one would be hard pressed to find a firm which has caused more of a panic in such a short period of time. Although they have only been selling phones internationally for nearly six months, they have wrought the ire of a handful of countries. As many as three of those countries have expressed enough concern that they are considering banning Xiaomi gear in one manner or the other.

A Xiaomi problem or China problem?

As I mentioned, Xiaomi is not entirely to blame for the negative press. Their phones are rooted with the same virus that has been found in other made-in-China handsets as explained here:

‘Mysterious files were found on two models of Sony Xperia smartphones which…relaying data to Chinese servers.

The file is called “Baidu,” … If a user tries to remove the file, it automatically restores itself after a short time. The independent Xperia Blog says the file is rooted in the firmware of the phones.

In all cases, the breach used an infected smartphone app rooted in the firmware of the phone that relays data back to China.

…

German security company G Data revealed on June 16 that China’s Star N9500 smartphones, which are sold online by a company with no name, contain a file called Uupay.D which relays data from the phone back to China.

…

“The possibilities with this spy program are almost limitless.”

Just one month later, a similar spying app was found on smartphones from China’s Xiaomi.

…

The Xiaomi Redmi Note smartphones were continually trying to connect to an IP address in Beijing. Researchers found the phones continued relaying data even if they erased the phones and installed new versions of Android—suggesting again the “feature” is in the phone’s firmware.

The virus could have been created and then rooted in the Xiaomi system by a sub supplier, but no one is sure. To make matters worse was Xiaomi’s response to the data theft allegations.

Deny, Diminish, Destroy- The Xiaomi Way

Once it was irrefutably proven that Xiaomi phones were nicking data, the company went into coverup mode. Embracing the Three D’s of Xiaomi, they subsequently denied the allegations, then diminished them and finally destroyed proof of the evidence.

Deny

At first Xiaomi assured their customers that allegations of data theft were wrong. They claimed that Xiaomi does not take nor store user data, especially in Beijing. This went on for over one week until irrefutable evidence proved to the contrary. When faced with this info, they moved into step two of the ‘Xiaomi way’.

Diminish

After investing so much time into convincing us they did not keep user data, Xiaomi was forced to change tack. Security experts proved beyond a shadow of a doubt that user data was sent off to Beijing. Xiaomi then demurred saying, ‘Oh, you mean that data?’

They then explained that the data was not being stolen but merely re-purposed for our own good. ‘We store that information on our servers in order so that customers can send and receive messages more quickly.’

This contention led users to wonder why Xiaomi didn’t just say this in the first place. ‘If they had a legitimate reason for nicking data, why didn’t they tell us in the first place?’ users wondered.

After this, Lei Jun and company told us that this ‘breach of security’ was not really a breach and that we could all relax and trust in Xiaomi. They even went on to issue a patch which they assured us would fix data theft problems. There must have been a problem, however, as the patches did not stop the security breach, however. It was proven that even after applying the phone fix, data was sent to Beijing.

This caught the eye of quite a few countries which then decided to consider banning Xiaomi gear. The Indian Air Force, for example, warned its personnel against using kit made by Lei Jun’s firm. In response, Xiaomi claimed they would store data in ‘ABC’- Anyplace But China. This too, it seemed was merely a ruse as explained here:

In a facebook post, vice president of Xiaomi, Hugo Barra, wrote, “We take rigorous precautions to ensure that all data is secured when uploaded to Xiaomi servers and is not stored beyond the time required.”

But many cyber security experts are still concerned that this hasn’t fixed the true problem.

Sending Data to China

According to Rishi Kant, CEO of Secure Vision Lab Pvt. Ltd…Xiaomi phones have a backdoor in their firmware that lets user data be sent to servers in Beijing, regardless of what software updates the user makes.

Kant explains that companies use backdoor applications to steal users information so they can use that data for research and development to expand their markets, or share that data with a government for espionage purposes.

…Kant is not confident that having a data center in India would help with security, as Xiaomi would still likely monitor it.

“There’s no guarantee data will not go to China because it is a distributor server and that means it’ll be linked with servers in China…’

After all, data storage was not the worry, per se, but data theft and corporate integrity.

Things ratcheted up after a Taiwanese security expert claimed to have proof of Xiaomi’s security problems. He was going to prove this to the world until Xiaomi entered destruction mode.

Destroy the evidence

The expert was set to prove that Xiaomi was covertly storing data for millions of its users. He had allegedly hacked into their database and was set to prove this at an Indian hacker conference called the Ground Zero Summit. In order to substantiate his claims the had sent proof to the hacker news. Xiaomi panicked and sought a restraining order against the Taiwanese man, preventing him from proving his findings. Xiaomi effectively killed the story and the findings could not legally be shown.

Interestingly enough, this story incorporates all of the Xiaomi ‘Three D’s’ of obstruction.

Initially they denied the hacker claims, calling them a ‘hoax’. They said that no one had breached their systems (Deny). Once proof was sent to the Hacker News, however, this charade could not be maintained. Xiaomi then said that once upon a time somebody did access their data, but only a few customer names had been found. They claimed that the vulnerability which enabled that theft had been patched and was a non-issue. In addition, ‘That breach only affected a handful of users,’ they said(Diminish). The facts show otherwise as in their writ to prevent the hacker from speaking, Xiaomi said that it sought to protect the identity of millions of their users. This obviously runs contrary to their claims just mentioned. Out of fear of what the security guru had found, Xiaomi merely sought legal recourse to prevent us from knowing the truth (Destroy).

The bottom Line

Xiaomi’s refusal to deal with security problems in a forthright manner is surprising if not unsettling.  Perhaps they fear that bad press could torpedo their success before they get a chance to take off. This contention would hold more weight if they had acted differently when faced with such problems. It is also hard to feel sympathy for one of the world’s top five producers of smartphones. If they had had only a minor hiccup here and there it would be one thing, but Xiaomi’s problems are much deeper.

Lei Jun and company are consistent in their refusal to get to the root cause of their problems- questionable security. Their verbal slight of hand merely makes us question their motives even more. By forbidding the Taiwanese expert to report his findings, for example, Xiaomi merely casts a bigger shadow over its ever-stained reputation.