Date
15 December 2017
Xiaomi is drawing a lot of questions after tests found a budget smartphone has been sending user data to a remote server in Singapore. Photo: Bloomberg
Xiaomi is drawing a lot of questions after tests found a budget smartphone has been sending user data to a remote server in Singapore. Photo: Bloomberg

Xiaomi data leak fix raises more questions

A smartphone made by Xiaomi Inc. continues to send user data, this time to a remote server in Singapore, after the company said it had fixed the problem, Apple Daily reported Monday, citing its own investigation. 

A security check found that the RedMi 1S, a Xiaomi budget smartphone, was automatically sending private information every half hour to a Singapore server owned by Amazon.

The newspaper commissioned Sang Young, director and convenor of the Internet Security and Privacy Working Group at Internet Society Hong Kong, to conduct the check.

Last month, Xiaomi released an over-the-air fix after reports the RedMi 1S was sending user information, including phone numbers and short messages, to a remote server in Beijing.

Xiaomi said the upgrade had solved the problem.

Young said the information was encrypted and was between 893 bytes and 30 kilobytes — too big for normal transmissions which means it could include text data such as a phone directory.

The Amazon server is a commercial cloud service that can be rented by anyone, the report said.

Renters cannot only store data in it but also add programs. Some industry insiders said the server is convenient for those trying to hide their identities. The server has been used by hackers.

Xiaomi said all data transmitted to Singapore was only for updating information such as dates and weather and no private details were involved.

Still, some experts said leakage of private data cannot be ruled out, the report said.

Another test conducted by Nexusguard Consulting found the RedMi 1S would send daily user data to its designer’s server on an operating system made by a third party.

That means the transmissions were carried out on Xiaomi’s proprietary operating system, it said.

Meanwhile, App.mi.com, an app store owned by Xiaomi and pre-loaded on its smartphones, was also found to have been tampered with.

The app store contains popular free Android apps. A test by Nexusguard found usage information on those apps, such as WhatsApp, was sent to servers in the mainland.

– Contact us at [email protected]

TL/AC/RA

EJI Weekly Newsletter

Please click here to unsubscribe