Photo
Credit: 123RF.com
Team TC
12 Aug, 2022
Security researchers have found vulnerabilities
in Xiaomi phones’ trusted environment, which could have affected more than a
billion users. If left unpatched, they could have allowed attackers to steal
private keys used to login into payment apps such as WeChat Pay, the
researchers warned.
The vulnerabilities were flagged by
Cybersecurity firm Check Point Research (CPR), which said that Xiaomi
acknowledged and fixed the security flaws after they were brought to its
attention.
Though CPR didn't disclose the name
of the afflicted Xiaomi devices, it said that they were powered by MediaTek
chips.
A trusted environment is an isolated
space on a smartphone that is designed to run trusted apps with higher security
and privacy demands. Most payment apps such as WeChat and Samsung Pay use this
space to store tokenised information such as private keys and passwords.
“We were able to hack into WeChat Pay
and implemented a fully worked proof of concept,” Slava Makkaveev, a security
researcher at CPR said in a statement.
Makkaveev and his team, during their
research, found that the vulnerabilities could have been exploited to attack
the trusted code in two ways. In the first method, they installed a malicious
application and used it to extract the private keys and send a fake payment
packet to steal the money.
In the second method, they rooted the
device to downgrade the trust environment and then ran a code to create a fake
payment package without involving an application.
“We discovered a set of
vulnerabilities that could allow forging of payment packages or disabling the
payment system directly, from an unprivileged Android application,” added
Makkaveev.
Makkaveev urged users to apply the
latest updates and security patches released by the company.
Though Makkaveev said that this is
the first time Xiaomi's trusted applications are being reviewed for security
issues, CPR has flagged vulnerabilities in Xiaomi devices in the past. For
instance, in 2019, CPR found a vulnerability in a pre-installed security app
called Guard Provider on Xiaomi smartphones. The network traffic of the app was
found to be unsecured and vulnerable to man-in-the-middle attacks (MIMT).
https://www.techcircle.in/2022/08/12/security-flaws-found-in-xiaomi-phones-trusted-environment-could-have-affected-over-1-billion-users
Exclusive: Warning Over Chinese Mobile
Giant Xiaomi Recording Millions Of People’s ‘Private’ Web And Phone Use
Apr 30, 2020, 09:25am EDT
Thomas Brewster
Forbes Staff
Senior writer at Forbes covering cybercrime, privacy and
surveillance.
Commuters pass by Xiaomi Note 10 Pro smartphone
advertisement at its flagship store in Hong Kong. ... [+]
BUDRUL CHUKRUT/SOPA IMAGES/LIGHTROCKET VIA GETTY IMAGES
“It’s a backdoor with phone functionality,” quips Gabi Cirlig
about his new Xiaomi phone. He’s only half-joking.
Cirlig is speaking with Forbes after
discovering that his Redmi Note 8 smartphone
was watching much of what he was doing on the phone. That data was then being
sent to remote servers hosted by another Chinese tech giant, Alibaba,
which were ostensibly rented by Xiaomi.
The seasoned cybersecurity researcher found a worrying amount of
his behavior was being tracked, whilst various kinds of device data were also
being harvested, leaving Cirlig spooked that his identity and his private life
was being exposed to the Chinese company.
When he looked around the Web on the device’s default Xiaomi
browser, it recorded all the websites he visited, including search engine queries
whether with Google or the privacy-focused DuckDuckGo, and every item viewed on
a news feed feature of the Xiaomi software. That tracking appeared to be
happening even if he used the supposedly private “incognito” mode.
The device was also recording what folders he opened and to
which screens he swiped, including the status bar and the settings page. All of
the data was being packaged up and sent to remote servers in Singapore and
Russia, though the Web domains they hosted were registered in Beijing.
Meanwhile, at Forbes’ request, cybersecurity
researcher Andrew Tierney investigated further. He also found browsers shipped
by Xiaomi on Google Play—Mi Browser Pro and the Mint Browser—were collecting
the same data. Together, they have more than 15 million downloads, according to
Google Play statistics.
Forbes
Daily: Get our best stories, exclusive reporting and essential analysis of the
day’s news in your inbox every weekday.
Many more millions are likely to be affected by what Cirlig
described as a serious privacy issue, though Xiaomi denied there was a problem.
Valued at $50 billion, Xiaomi is one of the top four smartphone makers in the
world by market share,
behind Apple, Samsung and Huawei. Xiaomi’s big sell is cheap devices that have
many of the same qualities as higher-end smartphones. But for customers, that
low cost could come with a hefty price: their privacy.
Cirlig thinks that the problems affect many more models than the
one he tested. He downloaded firmware for other Xiaomi phones—including the Xiaomi MI 10, Xiaomi Redmi K20 and
Xiaomi Mi MIX 3 devices. He then confirmed they had the same browser code,
leading him to suspect they had the same privacy issues.
And there appear to be issues with how Xiaomi is transferring
the data to its servers. Though the Chinese company claimed the data was being
encrypted when transferred in an attempt to protect user privacy, Cirlig found
he was able to quickly see just what was being taken from his device by
decoding a chunk of information that was hidden with a form of easily crackable
encoding, known as base64. It took Cirlig just a few seconds to change the
garbled data into readable chunks of information.
“My main concern for privacy is that the data
sent to their servers can be very easily correlated with a specific user,”
warned Cirlig.
Xiaomi’s
response
In response to the findings, Xiaomi said, “The research claims
are untrue,” and “Privacy and security is of top concern,” adding that it
“strictly follows and is fully compliant with local laws and regulations on
user data privacy matters.” But a spokesperson confirmed it was collecting browsing
data, claiming the information was anonymized so wasn’t tied to any identity.
They said that users had consented to such tracking.
But, as pointed out by Cirlig and Tierney, it wasn’t just the
website or Web search that was sent to the server. Xiaomi was also collecting
data about the phone, including unique numbers for identifying the specific
device and Android version. Cirlig said such “metadata”
could “easily be correlated with an actual human behind the screen.”
Xiaomi’s spokesperson also denied that browsing data was being
recorded under incognito mode. Both Cirlig and Tierney, however, found in their
independent tests that their web habits were sent off to remote servers
regardless of what mode the browser was set to, providing both photos and
videos as proof.
When Forbes provided
Xiaomi with a video made by Cirlig showing how his Google search for “porn” and
a visit to the site PornHub were sent to remote servers, even when in incognito
mode, the company spokesperson continued to deny that the information was being
recorded. “This video shows the collection of anonymous browsing data, which is
one of the most common solutions adopted by internet companies to improve the
overall browser product experience through analyzing non-personally
identifiable information,” they added.
Both Cirlig and Tierney said Xiaomi’s behavior was more invasive
than other browsers like Google Chrome or Apple Safari. “It’s a lot worse than
any of the mainstream browsers I have seen,” Tierney said. “Many of them take
analytics, but it's about usage and crashing. Taking browser behavior,
including URLs, without explicit consent and in private browsing mode, is about
as bad as it gets.”
Cirlig also suspected that his app
use was being monitored by Xiaomi, as every time he opened an app, a chunk of
information would be sent to a remote server. Another researcher who’d tested
Xiaomi devices, though was under an NDA to discuss the matter openly, said he’d
seen the manufacturer’s phone collect such data. Xiaomi didn’t respond to
questions on that issue.
‘Behavioral
Analytics’
Xiaomi appears to have another
reason for collecting the data: to better understand its users’ behavior. It’s
using the services of a behavioral analytics company called Sensors Analytics.
The Chinese startup, also known as Sensors Data, has raised $60 million since
its founding in 2015, most recently taking $44 million in a round led by New
York private equity firm Warburg Pincus, which also featured funding from
Sequoia Capital China. As described in Pitchbook, a tracker of company funding,
Sensors Analytics is a “provider of an in-depth user behavior analysis platform
and professional consulting services.” Its tools help its clients in “exploring
the hidden stories behind the indicators in exploring the key behaviors of
different businesses.”
Both Cirlig and Tierney found their
Xiaomi apps were sending data to domains that appeared to reference Sensors
Analytics, including the repeated use of SA. When clicking on one of the
domains, the page contained one sentence: “Sensors Analytics is ready to
receive your data!” There was an API called SensorDataAPI—an API
(application programming interface) being the software that allows third
parties access to app data. Xiaomi is also listed as a customer on Sensors
Data’s website.
The founder and CEO of Sensors Data,
Sang Wenfeng, has a long history in tracking users. At Chinese internet giant
Baidu he built a big data platform for Baidu user logs, according to his
company bio.
Xiaomi’s spokesperson confirmed the
relationship with the startup: “While Sensors
Analytics provides a data analysis solution for Xiaomi, the collected anonymous
data are stored on Xiaomi's own servers and will not be shared with Sensors
Analytics, or any other third-party companies.”
It’s the second time in two months
that a huge Chinese tech company has been seen watching over users’ phone
habits. A security app with a “private” browser made by Cheetah Mobile, a
public company listed on the New York Stock Exchange, was seen
collecting information on Web use, Wi-Fi
access point names and more granular data like how a user scrolled on visited
Web pages. Cheetah argued it needed to collect the information to protect users
and improve their experience.
Late in his research, Cirlig also
discovered that Xiaomi’s music player app on his phone was collecting
information on his listening habits: what songs were played and when.
One message was clear to the
researcher: when you’re listening, Xiaomi is listening, too.
UPDATE: Xiaomi
posted a blog in which it delineated how and when it collects visited URLs
visited by its users. Read it in full here.
The company reiterated that the data
transferred from Xiaomi devices and browsers was anonymized and not attached to
any identity.
On May 3, Xiaomi announced that
in its next browser update, it’d allow customers to stop their visited websites
being sent to the Chinese company’s servers.
The browsers will include “an option
in incognito mode ... to switch on/off the aggregated data collection, in an
effort to further strengthen the control we grant users over sharing their own
data with Xiaomi. The software updates will be submitted to Google Play for
approval within today.”
“We believe this functionality, in
combination with our approach of maintaining aggregated data in
non-identifiable form, goes beyond any legal requirements and demonstrates our
company’s commitment to user privacy,” Xiaomi added.
Follow me
on Twitter. Check
out my website. Send
me a secure tip.
Thomas Brewster
https://www.forbes.com/sites/thomasbrewster/2020/04/30/exclusive-warning-over-chinese-mobile-giant-xiaomi-recording-millions-of-peoples-private-web-and-phone-use/?sh=7f94139a1b2a
Lithuanian
cybersecurity agency warns against use of Chinese-made Xiaomi and Huawei phones
over data privacy concerns
Xiaomi phones also carry
the risk of possible restrictions on freedom of expression because apps receive
updated lists of censored words and phrases and are capable of blocking them,
according to investigations
The Associated Press September 22, 2021 22:17:23 IST
https://www.firstpost.com/world/lithuanian-cybersecurity-agency-warns-against-use-of-chinese-made-xiaomi-and-huawei-phones-over-data-privacy-concerns-9988301.html
