Following allegations that Xiaomi phones may be silently uploading user details to a remote server, Finnish security firm F-Secure set out to investigate.
The firm has now published a blog detailing how a brand new Xiaomi RedMi 1S smartphone silently uploaded a users' phone number, the network being used, the phone's IMEI number, as well as the phone's entire list of contacts to a Xiaomi server.
The security company said that it took a brand new smartphone from the box with no prior set-up or cloud connect allowed. It then followed the following steps:
- Inserted SIM card
- Connected to WiFi
- Allowed the GPS location service
- Added a new contact into the phonebook
- Send and received an SMS and MMS message
- Made and received a phone call
F-Secure said, "We saw that on startup, the phone sent the telco name to the server api.account.xiaomi.com. It also sent IMEI and phone number to the same server."
The company then repeated the above steps but this time connecting to the Mi Cloud service. This time around the IMSI details (used to identify the user of a cellular network) were sent to api.account.xiaomi.com, as well as the IMEI and phone number.