SECURITY FIRM SHOWS XIAOMI SMARTPHONES SECRETLY STEALING CUSTOMER'S PHONE CONTACT LIST

Following allegations that Xiaomi phones may be silently uploading user details to a remote server, Finnish security firm F-Secure set out to investigate.

The firm has now published a blog detailing how a brand new Xiaomi RedMi 1S smartphone silently uploaded a users' phone number, the network being used, the phone's IMEI number, as well as the phone's entire list of contacts to a Xiaomi server.

The security company said that it took a brand new smartphone from the box with no prior set-up or cloud connect allowed. It then followed the following steps:

  1. Inserted SIM card
  2. Connected to WiFi
  3. Allowed the GPS location service
  4. Added a new contact into the phonebook
  5. Send and received an SMS and MMS message
  6. Made and received a phone call

F-Secure said, "We saw that on startup, the phone sent the telco name to the server api.account.xiaomi.com. It also sent IMEI and phone number to the same server."

The company then repeated the above steps but this time connecting to the Mi Cloud service. This time around the IMSI details (used to identify the user of a cellular network) were sent to api.account.xiaomi.com, as well as the IMEI and phone number.

This evidence seems contrary to Xiaomi Vice President Hugo Barra's claims when he addressed Xiaomi security concerns in a Google+ post last week, stating "Xiaomi is serious about user privacy and takes all possible steps to ensure our Internet services adhere to our privacy policy. We do not upload any personal information and data without the permission of users."

Source: 

Filed Under: 

Tags: 

Advertisement

Your Views