Slashdot Mirror

← Back to Stories (view on slashdot.org)

F-Secure: Xiaomi Smartphones Do Secretly Steal Your Data

Posted by timothy on from the they're-just-making-a-copy dept.

They may be well reviewed and China's new top selling phone, but reader DavidGilbert99 writes with reason to be cautious about Xiaomi's phones: Finnish security firm F-Secure has seemingly proven that Xiaomi smartphones do in fact upload user data without their permission/knowledge despite the company strongly denying these allegations as late as 30 July. Between commercial malware and government agencies, how do you keep your phone's data relatively private?

5 of 164 comments (clear)

  1. So a non-denial denial by Anonymous Coward · · Score: 5, Informative

    The allegations are specific, proven and Hugo Barra denies different allegations. A simple PR trick.

    "We saw that on startup, the phone sent the telco name to the server api.account.xiaomi.com. It also sent IMEI and phone number to the same server," F-Secure said.

    So Barra denies it sends PHOTOS and TEXT MESSAGES to China without permission. He does not deny it sends to PHONE NUMBERS and IMEI details without permission.

    This is a classic PR misdirection strategy. Mi Cloud was not turned on when it sent this information, the phone was straight out of the box. So turning off Mi Cloud does not fix this spyware.

    1. Re:So a non-denial denial by benjymouse · · Score: 5, Informative

      Has the F-Secure tried to, as article mentions, disable the Mi Cloud account? Probably not. Because it wouldn't have been in the news then.

      I know this is slashdot, but if you start making claims about what is *not* in the article, could we at least expect you to look for it yourself?

      F-Secure saw the communication even before they created a Mi cloud account.

      The security company said that it took a brand new smartphone from the box with no prior set-up or cloud connect allowed. It then followed the following steps:

      - Inserted SIM card
      - Connected to WiFi
      - Allowed the GPS location service
      - Added a new contact into the phonebook
      - Send and received an SMS and MMS message
      - Made and received a phone call

      "We saw that on startup, the phone sent the telco name to the server api.account.xiaomi.com. It also sent IMEI and phone number to the same server," F-Secure said.

      I do not often say this on ./ but you're an idiot!

      --
      Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
    2. Re:So a non-denial denial by Anonymous Coward · · Score: 5, Informative

      Mi Cloud is turned off, you never read their claim, they never turned it on, it was a new handset tested.

      The phone sends your phone number to Xiaomi, it sends your IMEI and your network provider. F-Secure tested it by sending an SMS, and the handset sent the number of that SMS too. They added a contact and that phone number of the added contact was sent too.

      All of this with Mi Cloud turned off on a freshly bought Xiaomi handset.

      Your Android handset certainly does not do this, and not without permission and it is *not* acceptable.

  2. Re:Normal now by Zumbs · · Score: 4, Informative

    Considering that half the apps out there (and I mean benign/legitimate apps!) seem to upload user data without user's knowledge

    Half? Try 99% of the top 400 apps on both Android and iPhone. I also seem to remember that Apple got into problems because they were uploading user data without permission.

    --
    The truth may be out there, but lies are inside your head
  3. Re:Normal now by sribe · · Score: 4, Informative

    I also seem to remember that Apple got into problems because they were uploading user data without permission.

    Nope. They got into trouble because somebody found location data in logs on the phone, and assumed it was being uploaded without actually testing that theory.