Security audit highlights Huawei and Xiaomi | Software modules included to disclose data to Chinese authorities


(Photo: Image from Security audit highlights Huawei and Xiaomi | Software modules included to disclose data to Chinese authorities and repackage potentially “malicious” applications

A security audit that included Huawei’s P40 5G, OnePlus’ 8T 5G, and Xiaomi Mi 10T 5G revealed some quirks with smartphone brands. Only OnePlus has passed without having raised red flags.

NCSC security assessment on three smartphones made in China

A recent Security assessment was produced by the Lithuanian National Cyber ​​Security Center or NCSC and included security data on the latest three smartphones made in China. The Xiaomi phone was found to actually include software modules designed to disclose certain data to Chinese authorities.

It was also allegedly designed to censor certain media linked to subjects considered sensitive by the Chinese government. According to the NCSC, Huawei replaced the standard Google Play app store with a third-party substitute that turned out to have a sketchy and potentially malicious repackaging of some common apps. There has also been a 100% increase in cybercrime activity in Telegram.

OnePlus passes while Xiaomi raises red flags

OnePlus 8T 5G could have escaped without having raised a red flag with the NSCS. The Xiaomi Mi 10T 5G comes with its own non-standard browser known as the Mi Browser. The Mi browser was found to have two components that the NSCS did not like, including Google Analytics, as well as a less familiar module known as Sensor Data.

According to story by arsTechnina, the Google Analytics module inside the Mi browser can read the device’s search and browsing history and send the data to Xiaomi servers for unspecified analysis and use. The Google Analytics module would be automatically updated after any factory reset or the first activation of the phone.

NSCS on Singapore

The NCSC reportedly discovered that the Sensor Data module actually collects some statistics on 61 different parameters related to application activity. This includes the activation of the application, the language used, etc. Statistics are encrypted and sent to Xiaomi servers in Singapore.

This is a country that the NSCS says is not really covered by the EU’s GDPR and has also been directly linked to excessive data collection, according to one android authority article, as well as the abuse of user privacy.

Read also: OPPO and OnePlus Merging Teams See 20% Reduced Staff for Software and Hardware Teams

Encrypted SMS sent upon activation

The NSCS reportedly found mobile phone numbers that were even registered on servers in Singapore via encrypted SMS messages upon activation, which is a Xiaomi cloud service by default. The encrypted SMS is not visible to its user either. For those who have forgotten their crypto wallets, a duo of father and son hackers are on a quest to help owners recover their lost assets.

There are a number of Xiaomi system apps on the Xiaomi Mi 10T 5G that regularly download a file called MiAdBlackListConfig from servers in Singapore. The NCSC found 449 records in the file identifying political, religious and even social groups.

Some software classes of Xiaomi apps even use MiAdBlackListConfig in order to analyze certain multimedia that might be displayed on the device. It will then block the content if ever “unwanted” keywords are associated with it.

Associated article: Apple releases emergency security update as Israel-based NGO group Pegasus spyware on the run

This article is the property of Tech Times

Written by Urian B.

2021 All rights reserved. Do not reproduce without permission.


About Author

Leave A Reply