“It’s a backdoor with phone features,” That was Gabi Cirlig, a cybersecurity researcher, talking about his new Redmi Note 8 smartphone. He spoke to media after discovering that his Redmi Note 8 smartphone was tracking much of what he was doing on its screen. This data was then sent to remote servers hosted by another major Chinese technology brand, Alibaba, which is ostensibly rented by Xiaomi.
The cybersecurity researcher discovered that a disturbing amount of his behavior was being tracked, while various types of device data were also collected, leaving him to imagine that his identity and privacy could be exposed to Chinese society.
When browsing the web from the device’s default Xiaomi browser, the device saved all of the websites it visited. This include search engine queries, whether with Google or the DuckDuckGo focused on privacy. This tracking seemed to occur even though he was using the so-called private “incognito” mode.
The device also saved the files it opened and where it went (on its smartphone). All data was aggregated and sent to remote servers in Singapore and Russia. Although the web domains they hosted were registered in Beijing.
Xiaomi mobiles accused of collecting more data than they should
To verify his claims, Forbes asked cybersecurity researcher Andrew Tierney to investigate. The latter also discovered that the browsers provided by Xiaomi on Google Play – Mi Browser Pro and Mint Browser – collect the same data. Together they have more than 15 million downloads, according to statistics from Google Play.
Far more than millions of people are likely to be affected by what Cirlig has described as a serious privacy issue, although Xiaomi has denied the existence of a problem. With a market capitalization of $50 billion, Xiaomi is one of the top four smartphone manufacturers in the world in terms of market share. It cames behind Apple, Samsung and Huawei. Xiaomi’s biggest sales come from its entry-level and mid-range devices, which bring many features of high-end smartphones. But for customers, this low cost could have a high price: their privacy.
Cirlig thinks the problems affect many more models than the one he tested. He downloaded the firmware for other Xiaomi phones, including Xiaomi MI 10, Xiaomi Redmi K20 and Xiaomi Mi MIX 3. He then confirmed that they had the same browser code; which led him to think that they have the same privacy issues.
And there seem to be problems with the way Xiaomi transfers data to its servers. Although the Chinese company claims that the data was encrypted during its transfer in order to protect the privacy of users, Cirlig discovered that it was able to quickly see what was transferred from his device by decoding a block information which was hidden with an easily decodable form of encoding (it was in particular base64). It took Cirlig a few seconds to transform the truncated data into pieces of readable information.
Xiaomi denies that there are privacy problems as the data has encryption at the transmission. Even if, it takes a few seconds to decode the base64 encryption and transform the data into readable information.
“Xiaomi was disappointed to read the recent article from Forbes. We feel they have misunderstood what we communicated regarding our data privacy principles and policy. Our user’s privacy and internet security is of top priority at Xiaomi; we are confident that we strictly follow and are fully compliant with local laws and regulations. We have reached out to Forbes to offer clarity on this unfortunate misinterpretation. “