Xiaomi, Backdoors and Data Security

Leave a comment

May 28, 2015 by ...

Xiaomi has been needled in the press over security concerns. Some of this has to do with the legacy of distrust surrounding Chinese cell phone manufacturers. Companies such as Huawei have been linked to the communist party and accused of espionage, a thing they deny. It his hard to take them at their word, however, when one considers that they allegedly hacked the emails of South Sudanese government officials and forged emails from them. Such acts prove anything but Huawei’s commitment to privacy and integrity.

Of course that is Huawei and not Xiaomi, but generalizations being what they are, Xiaomi will undergo more scrutiny than companies from other parts of the world. Xiaomi’s Lei Jun should understand this based on his IT background, but it seems as if he does not.

Xiaomi, short history of international sales, growing history of data theft

In Xiaomi’s short history they have done little to dispel security concerns surrounding their kit. In fact, one would be hard pressed to find a firm which has caused more of a panic in such a short period of time. Although they have only been selling phones internationally for nearly six months, they have wrought the ire of a handful of countries. As many as three of those countries have espressed enough concern that they are considering banning Xiaomi gear in one manner or the other.

Much of this stems from a China-wide data theft problem as discussed here:

“Mysterious files were found on two models of Sony Xperia smartphones which researchers found are relaying data to Chinese servers.

The file is called “Baidu,” which is China’s version of Google…If a user tries to remove the file, it automatically restores itself after a short time. The independent Xperia Blog says the file is rooted in the firmware of the phones.

In all cases, the breach used an infected smartphone app rooted in the firmware of the phone that relays data back to China.

In all three cases, the infected app would also restore itself if deleted, since it was rooted in the phone’s firmware.

German security company G Data revealed on June 16 that China’s Star N9500 smartphones which are sold online by a company with no name, contain a file called Uupay.D which relays data from the phone back to China.

The phone’s spying file was disguised as a Google Play program and runs quietly in the background… “The possibilities with this spy program are almost limitless.”

Just one month later, a similar spying app was found on smartphones from China’s Xiaomi.

It was first uncovered by a user on Hong Kong forum IMA Mobile who was reviewing the Xiaomi Redmi Note 

The Xiaomi Redmi Note smartphones were continually trying to connect to an IP address in Beijing. Researchers found the phones continued relaying data even if they erased the phones and installed new versions of Android—suggesting again the “feature” is in the phone’s firmware.

Deny, Diminsh and Destroy, the Xiaomi way?

This ‘hiccup’ was only part of the problem, however, as Xiaomi did little to assuage fears of wrong doing. Their initial response was to deny the allegations, then they diminished those claims and finally even tried to destroy the evidence.


When initially faced with accusations that their phones had been swiping data, Xiaomi responded with an unequivocal ‘No we are not!”. The facts however, proved otherwise. Faced with this problem, Xiaomi burrowed deeper into ‘circle the wagons’ mode and change tack.


Xiaomi then admitted their phones were taking a peek at data but said it was all done to help and not hurt customers. All they were doing was ‘storing’ messages, pictures and contact lists in order to make it easier to send and receive the same, or so they said.

As one can

Destroy evidence



Link here

Xiaomi also tried to regain public trust by making its cloud-based messaging service, which the company says was the problem, opt-in rather than an opt-out so users can choose whether their messaging data is being sent at all.

F-secure later acknowledged that after this update, the phones that had disabled the cloud messaging app did not seem to be sending any data to remote servers.

In a facebook post, vice president of Xiaomi, Hugo Barra, wrote, “We take rigorous precautions to ensure that all data is secured when uploaded to Xiaomi servers and is not stored beyond the time required.”

But many cyber security experts are still concerned that this hasn’t fixed the true problem.

Sending Data to China

According to Rishi Kant, CEO of Secure Vision Lab Pvt. Ltd, a cyber security company based in New Delhi, Xiaomi phones have a backdoor in their firmware that lets user data be sent to servers in Beijing, regardless of what software updates the user makes.

Kant explains that companies use backdoor applications to steal users information so they can use that data for research and development to expand their markets, or share that data with a government for espionage purposes.

Around the world, Chinese companies have frequently been accused of espionage, and the thought of a Chinese company, even if it is a private one like Xiaomi, having access to so much user data is not something that sits well with many users.

Recently The Hacker News reported that a Taiwanese security expert was able to hack the Xiaomi website and gain access to millions of Xiaomi user accounts the company is allegedly storing.

He was set to present his findings at the Ground Zero Summit, a hacker conference in New Delhi in November, but his presentation was suddenly pulled “till Xiaomi investigates the data breach and the accusations made by the researcher,” the organizer told The Hacker News.

The security expert contacted The Hacker News and showed them a sample of his findings, which the website posted in an image with the personal information blurred out.

Xiami claimed in a statement, obtained by The Hacker News, that the findings of the researcher are “a hoax” and says it will pursue legal action.

India Data Center

Kant is not confident that having a data center in India would help with security, as Xiaomi would still likely monitor it.

“There’s no guarantee data will not go to China because it is a distributor server and that means it’ll be linked with servers in China. In India we don’t have a system to monitor it all the time,” he said.



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 85 other followers

Stat Counter

counter for wordpress

Member of The Internet Defense League

Blog Stats

  • 52,373 hits
May 2015
« Apr   Jun »
%d bloggers like this: