Last week, Indian Air Force issued a circular wherein they had categorically warned against using Xiaomi smart phones, due to security related issues. This is the first instance when a defense establishment in India had to issue such a warning against usage of a smart phone.
Fans of Xiaomi mobile defended by stating that Xiaomi is not at all a threat of national security and the reports are baseless.
During the same time, news broke in that Xiaomi has grown 211% in the last 24 months, and have quickly become third biggest mobile phone company after Samsung and Apple. Xiaomi’s Global VP, Hugo Barra even assured us that they will be launching their own data center in India by 2015, to safeguard their user’s data and information.
But, as reports are coming in from all over the world, it seems that Xiaomi’s security issues are snowballing into a major problem. Investigations against Xiaomi are currently on in Singapore and Taiwan besides India, and the issue is refusing to get buried.
It’s not just Indian market which is complaining: It’s an issue which is happening in other markets as well.
Taiwanese security researcher Chen Huang, while testing Xiaomi’s servers and security shield, stumbled upon a database of thousands of Xiaomi customers, which cements the facts that Xiaomi Mi account holders are at risk. As per the researcher, he found out a zero-day vulnerability in Xiaomi’s website, through which he was able to access the database of Mi account holders.
Xiaomi provides a unique Mi account to all their users, using which they can access services such as Mi Cloud, Mi Talk, MIUI Forum, Mi Market and other Xiaomi services. User’s email address, login details, mobile numbers etc are stored in the database for Mi account. If Chen Huang’s research is correct, then anyone with this database can use any Xiaomi user’s mobile phone, even make calls using their mobile and literally do anything.
Chen Huang was supposed to give a presentation on his research, titled: “Privacy-Alert: Exposing China-based XIAOMI Mobiles” at Asia’s biggest hackers conference, Ground Zero Summit (G0S) 2014 in New Delhi, later this month.
As per the website: “In this session Taiwanese Researcher will demonstrate how Xiaomi Phones have been sending device data and personal data of Xiaomi Phone user to Chinese Servers. The Researcher will also release Server Logs, Mi Account username, Emails and passwords of millions of Xiaomi users which have been obtained using a Zero Day flaw in the Xiaomi Servers.”
But now, Chen’s presentation has been pulled off, as the organizers are waiting for Xiaomi to respond to these allegations.
Taiwanese Government is already conducting an investigation against Xiaomi related to these security issues since August this year, and as per some reports, Xiaomi phones are even banned in Taiwan, but it has not yet confirmed. Due to misleading numbers shown during their flash sale, Taiwanese government has already fined Xiaomi $20,000 few months back.
A user in Singapore complained that ever since he bought Xiaomi mobile, he has been receiving unsolicited telemarketing calls from outside his country. His complain prompted Singapore’s Personal Data Protection Commission to launch an investigation against the company.
As per the complaint lodged, the user discovered that his Xiaomi phone was automatically connected with a server based in Beijing, and tremendous amount of data was flowing out without his approval or consent.
As per Law experts in Singapore, their government takes data security and protection very seriously, and if the charges are confirmed, then Xiaomi may have to pay a hefty fine to get out from the legal hassles. As per some sources, not only Xiaomi would be banned from the country and forced to destroy all data it has collected, they may also be liable to pay fine to the tune of $1 million.
The advisory issued by Indian Air Force mentions this investigation by Singapore government.
Some unconfirmed reports are also stating that similar investigations will be shortly launched against Xiaomi in Vietnam as well.
The base of such complains and investigation is the fact that almost every telecom and Internet company in China is semi-controlled by their government; and as per their pacts, the companies are liable to share their data and information with the government.
We will keep you updated as more details come in.