Reuters has issued an article warning that the Chinese giant Xiaomi is recording the personal data of millions of people about their activities on the Web, as well as about the use of the device. “It’s a backdoor to phone functionality,” Gabi Cirlig said half-jokingly about his new Xiaomi smartphone.
This seasoned cybersecurity researcher spoke to Forbes after discovering that his Redmi Note 8 smartphone was monitoring everything he did. That data was then sent to remote servers hosted by another Chinese tech giant, Alibaba, which Xiaomi is likely leasing.
Mr. Kirlig found that an alarming amount of data about his behavior was being tracked while various types of data were collected from the device at the same time - the specialist was frightened that details of his identity and private life were completely known to the Chinese company.
When he browsed websites in the default Xiaomi browser on the device, the latter recorded all visited sites, including search engine queries, whether it was Google or the privacy-oriented DuckDuckGo, and all items that were viewed in the news feed of the Xiaomi shell were also recorded. Moreover, all this surveillance worked even when the incognito mode was used.
The device recorded which folders were opened, which screens were switched, even if we are talking about the status bar and the device settings page. All data was sent in batches to remote servers in Singapore and Russia, although the web domains of the servers were registered in Beijing.
At the request of Forbes, fellow cybersecurity researcher Andrew Tierney conducted his own investigation. He also found that the browsers supplied by Xiaomi on Google Play - Mi Browser Pro and Mint Browser - collect the same data. According to Google Play statistics, together they have been installed more than 15 million times, meaning millions of devices could be affected.
The problems, according to Mr. Kirlig, apply to a much larger number of models. He downloaded firmware for other Xiaomi phones, including Xiaomi Mi 10, Xiaomi Redmi K20 and Xiaomi Mi MIX 3, after which he confirmed that they use the same browser and probably have the same privacy issues.
It seems that there are difficulties with how Xiaomi transmits data to its servers. Although the Chinese company claims that the data is encrypted, Gabi Kirlig found that he could quickly see what was downloaded from his device because the simplest base64 algorithm was used for encryption. It took only a few seconds to convert the data packets into readable pieces of information. He also warned: "My main privacy concern is that data sent to remote servers is very easily attributable to a particular user."
In response to the conclusions of these specialists, a representative of Xiaomi said that the research claims are not true, and privacy and security are of paramount importance, while the company strictly observes and fully complies with local laws and regulations regarding user privacy issues. But the spokesperson confirmed that browsing data is being collected, arguing that the information is anonymous and not tied to any individual, and that users consent to such tracking.
But as Gabi Kirlig and Andrew Tierney point out, it wasn't just the websites visited or the web searches that were sent to the server: Xiaomi also collects data about the phone, including unique numbers to identify a particular device and version of Android. Such metadata can, if desired, be easily correlated with a real person behind the screen.
A Xiaomi spokesperson also denied claims that browsing data is being recorded in incognito mode. However, security experts in their independent tests have found that their behavior on the Web sends to remote servers no matter what mode the browser is in, providing both photos and videos as evidence.
When Forbes provided Xiaomi with a video showing how Google searches and site visits were sent to remote servers even in incognito mode, a company representative continued to deny that the information was being recorded: “This video demonstrates the collection of anonymous browsing data, which is one one of the most common solutions taken by Internet companies to improve the overall browsing experience through the analysis of non-personally identifiable information."
However, security experts believe that the behavior of the Xiaomi browser is much more aggressive than other popular browsers like Google Chrome or Apple Safari: the latter do not record browser behavior, including URLs, without the user's explicit consent and in private browsing mode.
In addition, in his research, Mr. Kirlig found that the music player preinstalled on Xiaomi smartphones collects information about listening habits: which songs are played and when.
Gaby Kirlig also suspects that Xiaomi monitors the use of the software, since every time he opens the applications, a small amount of information is sent to a remote server. Another anonymous researcher cited by Forbes said he also recorded how the phones of the Chinese company collect similar data. Xiaomi has not commented on this.
The data is reportedly being sent to the Chinese analytics company Sensors Analytics (also known as Sensors Data), which was founded in 2015 and is engaged in in-depth analysis of user behavior and the provision of professional advisory services. Its tools help clients explore hidden data by examining key behaviors. A Xiaomi spokesperson confirmed the connection with the startup: "While Sensors Analytics provides a data analytics solution for Xiaomi, the collected anonymous data is stored on Xiaomi's own servers and will not be shared with Sensors Analytics or any other third party companies."
Source: 3dnews.ru