Slashdot Mirror
F-Secure: Xiaomi Smartphones Do Secretly Steal Your Data
They may be well reviewed and China's new top selling phone, but reader DavidGilbert99 writes with reason to be cautious about Xiaomi's phones: Finnish security firm F-Secure has seemingly proven that Xiaomi smartphones do in fact upload user data without their permission/knowledge despite the company strongly denying these allegations as late as 30 July. Between commercial malware and government agencies, how do you keep your phone's data relatively private?
"By not having one" comment
One could always try one of these...
Nice little phone
You have 5 Moderator Points!
Which Helpless Linux zealot/MS basher do you want to mod down today?
Xiaomi smartphones do in fact upload user data without their permission/knowledge
Considering that half the apps out there (and I mean benign/legitimate apps!) seem to upload user data without user's knowledge, that is not so shocking. Once you start using your phone, several apps will start siphoning your data.
Recent "simplification" of Android Google-store permissions means that I don't even know how much of a permission I am giving to a new app.
I'm sure as hell not going to commit any genuinely provate data to ANY network or device without encryption.
many stories on Slashdot end with a question mark.
What do you think, is this a good or bad thing?
I want it totally private. Has the concept of privacy gotten so totally lost that people seem okay to settle for relative privacy?
By the way, the best way to keep your data private is to keep it out of your untrusted phone/computer/whatnot, and use bogus data when you need to enter something.
Exemples: use "Acme inc." as your home phone number's name in your addressbook, and nicknames for your contacts. Don't enter your full address as your home in your satnav's app but someone's address in a street close-by, etc.
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
You've never been able to control your cell phone: even something as innocuous as communicating with a cell tower in range is something you might not want to happen.
If you want to keep your data private, do not let it get anywhere near your phone.
Oh, someone swears it's all a-okay. I'm totally reassured now...
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
So far, all they've found it doing is reporting the IMEI by sending an HTTP GET http://api.account.xiaomi.com/pass/v3/user@id?type=MXPH&externalId=01, The data is transmitted as a cookie of the form deviceId=IMEI . (The API returns a brief reply in JSON.) That tells them the phone has connected to the phone network, and its IP address. That's not particularly interesting information. The carrier knows the IMEI number, too, of course. Perhaps this is to check up on whether carrier-reported sales data matches actual phones coming on the air.
Carriers, app vendors, Microsoft, Google, and Apple collect far more data than that. There are way too many things phoning home with the user's contact list and other personal info.
Well he was one hell of a lot more convincing than you.
Which was not difficult.
Look, these days if you want to be safe, do not use a smartphone. Get a dumb phone, then you don't have to worry about any apps leaking your data.
Either an app will leak your data, someone will hack your phone, you leave it somewhere or someone steals it. Either way, you are screwed if you use your phone for all sorts of personal/business stuff.
I guess it's about convenience over personal/financial/business safety.
Be seeing you...
The allegations are specific, proven and Hugo Barra denies different allegations. A simple PR trick.
"We saw that on startup, the phone sent the telco name to the server api.account.xiaomi.com. It also sent IMEI and phone number to the same server," F-Secure said.
So Barra denies it sends PHOTOS and TEXT MESSAGES to China without permission. He does not deny it sends to PHONE NUMBERS and IMEI details without permission.
This is a classic PR misdirection strategy. Mi Cloud was not turned on when it sent this information, the phone was straight out of the box. So turning off Mi Cloud does not fix this spyware.
It's as simple as that. It doesn't matter if you turn on mobile data as long as that is under the control of the phone's operating system, and it doesn't matter if you pay attention to your cell phone bill, as traffic to and from specific government servers is likely exempt from the monthly traffic calculations just as the provider's own servers are likely to be. It doesn't matter if you monitor your wireless network, since questionable transmissions are likely to only go through mobile data, as that's harder to monitor.
While you may be able to test this with your own base station, the phone might also detect that it's not on an official network and therefore not do anything, but that's probably taking it a bit far.
While you could switch to a "dumb" phone, those are of course also trackable, and your conversations and messages can still be monitored, so I don't see any real gain there.
Myself, I carry a phone with me all the time, but I simply do not treat it as a secure device. If you want to take private pictures with your girlfriend, for instance, your phone is not the camera you want to use. End of story.
Get a Blackphone
Www.blackphone.ch
What's with all this Sinophobia and Russophobia, slashdot?
I know it's good for marketing (news sites make loads of money by exaggerating facts while pushing some propaganda), but seriously, can you put yourselves in the shoes of those foreigners living in your country?
For example, from the articles related to Russia I've read, EVERY ARTICLE has been shown to be manipulative and politically biased by its own commenters. How do you think Russians feel? EACH AND EVERY SINGLE article about Chinese technology mentions malware, "hacking" or the chinese military. I got news for you: China and Russia are SCAPEGOATS, and the infosec industry PROFITS from it. Who are the ones in the infosec industry? YOUR MILITARY. Do you really believe the Chinese Goverment controls all the devices made in China? No? Then WHY do you keep spreading PROPAGANDA?
Really, what does it matter to you if someone in some remote country are killing one each other? And how does THAT relates to NERDS and TECHNOLOGY? I you will publish political stuff, CAN you at least TRY to show a less biased point of view?
And finally.... what about some navel gazing? Can't you do some analogy to your own articles with your own laws/products/companies/whatever? What about some analysis about how much your own people cares, and does, against their own government? Why don't you stop spreading ideological bullshit about "freedom" and "democracy", if you have NO moral ground to criticize other people's countries?
Either mind your own fucking business and stop spreading military/govt propaganda against other governments, try to be less biased, or simply make your editorial line public and show less hypocrisy, most of the stuff about Russia/China has nothing to do about NERDS or TECHNOLOGY, it's none of your business, and while you push for this propaganda, you are omitting what is already happening in your own country.
There is no privacy. I knew a man who repaired pagers and police radios, etc. He worked in a small shop that was surrounded by copper screens and everything was grounded to eliminate any stray signals. Think of a clean room. So who can live like that?
microsoft corporation's product called 'windows' does exactly the same.
And millions of pleb users still use it without saying anything.
Because the American phone manufacturers don't do the same thing?
http://online.wsj.com/news/art...
Don't trust any company with your personal information - or accept that it's going to be shared with whoever has the money to pay for it, or the power to grab it.
blindly antisocialist = antisocial
How about Blackberry Q10 and Silent Circle Blackphone?
I have a BB's Q10 and all the data is encrypted. I hope this helps and is better than iPhone or any other out there.
Silent Circle Blackphone supposed to be the real deal but they did not have a version with QWERTY keyboard.
Please, somebody tell the Chinese that this is not a feature users want, even if all the bog vendors have implemented it!
There are bad people in the world. Sometimes those bad people run countries.
Russia and China are two such countries.
For this article, a Chinese phone maker is sending your private data to its servers without need or agreement. It is breaking the privacy law in Europe doing so. Do we simply ignore that because its Chinese?
It doesn't just send your phone number, and IMEA, and telco details, it sends the numbers of everyone you add to your phone book, and phone numbers of SMSs received. These third party people didn't agree to this either. Their privacy is violated also.
As to Russia, do you genuinely believe the Crimea suddenly swung to be totally pro-Russia? Or did Putin simple get a made up poll. Clearly its a fake poll, and so the Crimea has been invaded. Ukraine is next, real people are dying there at the hands of Russia soldiers.
Is that Russophobia? No, it's the unpleasant truth.
Should I sugar coat it so that Russians living abroad feel happier? Perhaps their feelings aren't the most important thing here. Putin is killing people.
...the sky is blue.
Carry on.
Written by people that care about your privacy.
Surely I'm not the only one who looks at the supercomputer in her pocket which is capable of speaker independent voice recognition, and often wonders whether encrypted text versions of *all* the conversations she's been having in its proximity are getting squirted off somewhere s33kr1t in the middle of the night, when no-one would notice a stray packet or two...
Frankly at this point, I'd rather the Chinese have my data to be honest. They won't share it with the Australian/Five eyes governments, and since I live ina Five eyes country, that works better for me. It's not like they'll put me in a prison from China for some BS they find on my phone. My own government on the other hand is much more likely to screw up my life using my own private data.
The data is copied, not "stolen". Get it right!
Using a dumb phone is not a solution. Everything a dumb phone does, by which I mean mainly messaging and phone calls, can be monitored anyway, as well as the location of the phone, by triangulation. All this means is that you lose features with implied privacy issues by going from a smart to a dumb phone, but are left with the remaining features that also have privacy issues.
There are 4 main smartphone brands:
Apple is in the hardware business. Their goal is to sell you hardware with a basket of software that enhances the experiences and showcases the hardware.
Blackberry is in the enterprise software business. Their goal is to sell you hardware that ties you to a management system from which they make their margin.
Microsoft is in the productivity software business. Their goal is to sell you an endpoint that showcases the features of their productivity suites including their server / cloud based collaboration tools.
Google is in the advertising business. Their goal is to sell you an endpoint that showcases their web services. Those web services are designed to collect information about you to sell to advertisers.
Of those 4 companies which do you think you are going to have the toughest time with privacy? If you care about privacy and don't have a strong reason to pick Android, don't use Android, it is quite obviously going to have to be the worst of the 4. You are going to have to cut against the grain to be secure and be on a platform designed advertisers. The other 3 while they may have problems are all much much better on privacy. Blackberry's balance feature allows you to create a container which divides your data a secure side and an insecure side. They offer things like secure browsing by default. You want security choose an operating system designed to enhance not reduce security. Apple and Microsoft are sort of midpoints. Apple is very good about now allowing applications to upload data you don't know about sharing between apps is off by default. Microsoft emulated the Apple sandboxing, certification and limited interaction approach we'll see if overtime they maintain it. If you want to use these devices and have secure data something like Good's containers (which do work on Android) provide a pretty excellent way to keep specific data associated with specific applications secure.
> Unfortunately, that won't help. Your phone number(s) and your home address are already on many of your friend's devices under your real name. Apple, Google & Co already have your details [...]
While it's important to keep that in mind, the "this won't help" mindset is a classical fallacy: someone gotta start, and if (and when) it's widespread enough, it'l help all of us. Like higiene.
You don't spit on the roads, do you? Or do you shit out your window?
So if you implement that -- have a talk with your friends about it too.
I changed my default search engine to something other than google however i see a quick stint of traffic heading to google.com whenever i search
Currently the only way to have a safe phone is one with verified OSS and a modem that can be disabled by powering it down. In order to stay in communications a POCSAG pager module can receive incoming calls, the phone owner can decide whether to with an easy to use app power up and call back the number received in the page.
As far as i can tell, they say that the IMEI and the Telco's name was sent to the Xiaomi servers, Does that counts as stealing user data?
So what?
Due to pattern issues, they will not coming to US/EU.
If you are in China, you don't care.
if you got it through gray market, you don't care.
I don't care
So should "find restaurants near me" apps instead require users to download the complete list of worldwide restaurants? Because even clicking on a map or entering a postal code is "location data". Another is to satisfy movie studios that refuse to license works for streaming unless the provider can positively match viewers to a country whitelist.
But perhaps they struggle to find buyers is largely because there is no pre order option
Perhaps that's because payment processors want a ship date in the next 30 days. OpenPandora had to refund a lot of preorders when it couldn't ship in that time frame.
I don't think compasses will remain useful for centuries to come. Changes in the magnetic poles and their eventual reversal will cause compasses to stop working at some point, and then reverse once the polarity is reversed.
Yes, because they're Chinese. And Chinese people steal stuff.
Location data and contact/address data are sensitive yet inextricably linked to how people use trackers (also known as cell phones and other portable electronic devices). Whether the device conveys GPS coordinates, can be tracked to a remarkably small area via cell tower triangulation, or unknown (to the user) parties get the information from a proprietor (such as Apple), the privacy loss inherent in ordinary tracker operation makes it impossible to "avoid storing sensitive data on the phone".
This is no accident. When societies face the combination of nonfree software (both in OS and programs people are encouraged to install later), devices that are as close to always-on as is possible for mobile computing, and a userbase as persistently distracted away from focusing on their civil liberties as most tracker users are (no thanks to sites like /. which carry stories like these without any ethical critique to go alongside the corporate-written stockprice-sensitive spin) results like these are the outcome. Add to that the unethical ways in which trackers are made (such as Apple turning a blind eye to the environment in China or expoiting workers at Pegatron even worse than at Foxconn but Apple is certainly not alone in any of this) and you have an ugly recipe for abuse from end-to-end. Many thanks to people including Richard Stallman for compiling useful information about all of this and for his many years of warning people against nonfree software.
Digital Citizen
that's why I like my symbian enabled nokia phone. But it is just belief, as a matter of fact I'm not sure if is safer to use symbian phones
But it's China.
You know. The evil communists.
Well, ok, they're not communists any more. But they're still socialists, and that's almost as evil.
Of course the NSA is evil, too, but they're American, so they're ok. Rah, rah, rah, USA!
I do not fail; I succeed at finding out what does not work.
Right. And all those people who showed information being uploaded are just paranoid people.
Uh, you have been following the news right, the ones where Blackberry voluntarily agrees to give whole sale all the information they have to governments like India, Saudi Arabia, etc?
You know, the phone where *ALL* your data have to pass through their data centers?
Are you sending anonymous statistics? Or allowing auto-complete in the browser bar? All of these features rely on data being sent to Google's servers.
They snooped the phone out of the box to see what was sent. Have them try that again with a Galaxy S5 and iPhone5 and see the results.
Yes, new smartphones call home. The question of "does this do it more than anyone else?" wasn't answered.
Learn to love Alaska
Even if the operating system did support a hostname whitelist in application manifests, a whitelisted server could still proxy an application's requests. So one host controlled by the application publisher means all hosts.
Dear AC:
I have a pussy in addition to a small dick.
Nuff said.
Timothy
A Chinese brand that sells a mobile phone that steals/copies your data... I'd call it F-Surprise
ps. was going to say "manufacturer", but who are we kidding when we say the rest aren't manufactured in China?
Don't put any data on it. I don't.
If i have the choice between a company in the deep end of china and the Google spider who know my place, my habits of surfing, my identities, the list of my internet and phone tools, and his close relationsheep with the nsa, no doubt i choose the chinese company. It will not bother me on my browser with ads, and will not spiing all my others mails to unwanted ears
The chinese communist party is on its last straw of survival, facing stress from:
1. external opposite forces from all other countries in the world.
2. internal pressure from all chinese places e.g. mainland, hong kong, taiwan, xinjiang, macau etc.
3. its own economy no more development from absence of law and moral.
4. its inner problems all surfacing e.g. debt, lack of soft power, no morals whatsoever.