Slashdot Mirror

← Back to Stories (view on slashdot.org)

F-Secure: Xiaomi Smartphones Do Secretly Steal Your Data

Posted by timothy on from the they're-just-making-a-copy dept.

They may be well reviewed and China's new top selling phone, but reader DavidGilbert99 writes with reason to be cautious about Xiaomi's phones: Finnish security firm F-Secure has seemingly proven that Xiaomi smartphones do in fact upload user data without their permission/knowledge despite the company strongly denying these allegations as late as 30 July. Between commercial malware and government agencies, how do you keep your phone's data relatively private?

7 of 164 comments (clear)

  1. Obligatory by Anonymous Coward · · Score: 2, Informative

    "By not having one" comment

  2. So a non-denial denial by Anonymous Coward · · Score: 5, Informative

    The allegations are specific, proven and Hugo Barra denies different allegations. A simple PR trick.

    "We saw that on startup, the phone sent the telco name to the server api.account.xiaomi.com. It also sent IMEI and phone number to the same server," F-Secure said.

    So Barra denies it sends PHOTOS and TEXT MESSAGES to China without permission. He does not deny it sends to PHONE NUMBERS and IMEI details without permission.

    This is a classic PR misdirection strategy. Mi Cloud was not turned on when it sent this information, the phone was straight out of the box. So turning off Mi Cloud does not fix this spyware.

    1. Re:So a non-denial denial by benjymouse · · Score: 5, Informative

      Has the F-Secure tried to, as article mentions, disable the Mi Cloud account? Probably not. Because it wouldn't have been in the news then.

      I know this is slashdot, but if you start making claims about what is *not* in the article, could we at least expect you to look for it yourself?

      F-Secure saw the communication even before they created a Mi cloud account.

      The security company said that it took a brand new smartphone from the box with no prior set-up or cloud connect allowed. It then followed the following steps:

      - Inserted SIM card
      - Connected to WiFi
      - Allowed the GPS location service
      - Added a new contact into the phonebook
      - Send and received an SMS and MMS message
      - Made and received a phone call

      "We saw that on startup, the phone sent the telco name to the server api.account.xiaomi.com. It also sent IMEI and phone number to the same server," F-Secure said.

      I do not often say this on ./ but you're an idiot!

      --
      Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
    2. Re:So a non-denial denial by Anonymous Coward · · Score: 5, Informative

      Mi Cloud is turned off, you never read their claim, they never turned it on, it was a new handset tested.

      The phone sends your phone number to Xiaomi, it sends your IMEI and your network provider. F-Secure tested it by sending an SMS, and the handset sent the number of that SMS too. They added a contact and that phone number of the added contact was sent too.

      All of this with Mi Cloud turned off on a freshly bought Xiaomi handset.

      Your Android handset certainly does not do this, and not without permission and it is *not* acceptable.

  3. Off-topic rant... by Anonymous Coward · · Score: 0, Informative

    What's with all this Sinophobia and Russophobia, slashdot?
    I know it's good for marketing (news sites make loads of money by exaggerating facts while pushing some propaganda), but seriously, can you put yourselves in the shoes of those foreigners living in your country?
    For example, from the articles related to Russia I've read, EVERY ARTICLE has been shown to be manipulative and politically biased by its own commenters. How do you think Russians feel? EACH AND EVERY SINGLE article about Chinese technology mentions malware, "hacking" or the chinese military. I got news for you: China and Russia are SCAPEGOATS, and the infosec industry PROFITS from it. Who are the ones in the infosec industry? YOUR MILITARY. Do you really believe the Chinese Goverment controls all the devices made in China? No? Then WHY do you keep spreading PROPAGANDA?
    Really, what does it matter to you if someone in some remote country are killing one each other? And how does THAT relates to NERDS and TECHNOLOGY? I you will publish political stuff, CAN you at least TRY to show a less biased point of view?
    And finally.... what about some navel gazing? Can't you do some analogy to your own articles with your own laws/products/companies/whatever? What about some analysis about how much your own people cares, and does, against their own government? Why don't you stop spreading ideological bullshit about "freedom" and "democracy", if you have NO moral ground to criticize other people's countries?
    Either mind your own fucking business and stop spreading military/govt propaganda against other governments, try to be less biased, or simply make your editorial line public and show less hypocrisy, most of the stuff about Russia/China has nothing to do about NERDS or TECHNOLOGY, it's none of your business, and while you push for this propaganda, you are omitting what is already happening in your own country.

  4. Re:Normal now by Zumbs · · Score: 4, Informative

    Considering that half the apps out there (and I mean benign/legitimate apps!) seem to upload user data without user's knowledge

    Half? Try 99% of the top 400 apps on both Android and iPhone. I also seem to remember that Apple got into problems because they were uploading user data without permission.

    --
    The truth may be out there, but lies are inside your head
  5. Re:Normal now by sribe · · Score: 4, Informative

    I also seem to remember that Apple got into problems because they were uploading user data without permission.

    Nope. They got into trouble because somebody found location data in logs on the phone, and assumed it was being uploaded without actually testing that theory.