Security firm shows Xiaomi smartphones secretly stealing your data
Update 2: Hugo Barra has now confirmed with us that the OTA update that will make MIUI's Cloud Messaging service opt-in will be available for all Xiaomi phones.
Update: Hugo Barra has now addressed F-Secure's findings, stating that the data being uploaded is part of MIUI's Cloud Messaging service. An update rolling out today will now make MIUI opt-in, and will no longer automatically activate for new users:
These concerns refer to the MIUI Cloud Messaging service described above. As we believe it is our top priority to protect user data and privacy, we have decided to make MIUI Cloud Messaging an opt-in service and no longer automatically activate users. We have scheduled an OTA system update for today (Aug 10th) to implement this change.
After the upgrade, new users or users who factory reset their devices can enable the service by visiting “Settings > Mi Cloud > Cloud Messaging” from their home screen or “Settings > Cloud Messaging” inside the Messaging app — these are also the places where users can turn off Cloud Messaging.
Following allegations that Xiaomi phones may be silently uploading user details to a remote server, Finnish security firm F-Secure set out to investigate.
The firm has now published a blog detailing how a brand new Xiaomi RedMi 1S smartphone silently uploaded a users' phone number, the network being used, the phone's IMEI number, as well as the phone's entire list of contacts to a Xiaomi server.
The security company said that it took a brand new smartphone from the box with no prior set-up or cloud connect allowed. It then followed the following steps:
- Inserted SIM card
- Connected to WiFi
- Allowed the GPS location service
- Added a new contact into the phonebook
- Send and received an SMS and MMS message
- Made and received a phone call
F-Secure said, "We saw that on startup, the phone sent the telco name to the server api.account.xiaomi.com. It also sent IMEI and phone number to the same server."
The company then repeated the above steps but this time connecting to the Mi Cloud service. This time around the IMSI details (used to identify the user of a cellular network) were sent to api.account.xiaomi.com, as well as the IMEI and phone number.