[TheRecord] Lithuanian government warns about secret censorship features in Xiaomi phones

The Lithuanian Defense Ministry published a security audit on Wednesday for three popular 5G smartphone models manufactured in China, recommending that citizens avoid or stop using at least two of the three devices, citing privacy infringements and secret censorship capabilities.

The 5G smartphone models selected for the audit included:

OnePlus 8T 5GHuawei P40 5GXiaomi Mi 10T 5G

Margiris Abukevičius, Deputy Minister of National Defense, said the phones were selected because they had been previously identified “by the international community as posing certain cyber security risks.”

While the government audit, which is available for download from the ministry’s website [PDF], did not find any issues with the OnePlus 8T 5G, several problems were identified with the other two models.

Xiaomi: Censorship module, surreptitious data collection

The most were found in the Xiaomi Mi 10T, where officials said they uncovered a secret censorship module that could detect and censor 449 keywords or groups of keywords in both Chinese and Latin characters related to sensitive topics inside China, such as “Free Tibet,” “Voice of America,” “Democratic Movement,” “Longing Taiwan Independence,” and others.

Officials said this module was disabled inside Lithuania and the EU region, but they also found a function that could have allowed Xiaomi to silently enable the censorship module at any given time without the user’s knowledge.

In addition, officials said they also found a second issue impacting Xiaomi phones, which also sent an encrypted SMS message to Xiaomi servers whenever the owner chose to use the Xiaomi Cloud service.

“Investigators were unable to read the contents of this encrypted message, so we can’t tell you what information the device sent,” Dr. Tautvydas Bakšys, one of the report’s authors, said on Wednesday.

After the SMS was sent, the message was also hidden from the device owner, another action which Lithuanian authorities saw as a sign of alarm.

Furthermore, officials said they also found that the Xiaomi phone also collected up to 61 data points about the device and its owner via the Mi Browser app, information it sent to a Google Analytics account and to Chinese servers.

Xiaomi did not return a request for comment sent by The Record seeking answers to the Lithuanian government’s report.

The same audit also found an issue with the Huawei P40 5G model, which officials said would often redirect users seeking various apps to malicious alternatives.

The post Lithuanian government warns about secret censorship features in Xiaomi phones appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

Daily NCSC-FI news followup 2021-02-01

Someväitteiden mukaan Vastaamo-uhrien pankkitilejä tyhjennetty – todellisuudessa kyse lienee kierosta huijauksesta Nordean ja OP:n nimissä www.is.fi/digitoday/tietoturva/art-2000007776104.html Suomessa on meneillään kehittynyt OP:n ja Nordean nimissä tehtävä tietojenkalastelu, joka sattuu samaan aikaan Vastaamon asiakastietojen aktiivisen leviämisen kanssa. – Vastaamo-tiedoissa ei ole ollut sellaisia tietoja, jotka tämän mahdollistaisivat. Siellä ei ole ollut esimerkiksi käyttäjätunnus ja salasana -pareja tai […]

Read More

[ThreatPost] SolarWinds Issues Hotfix for Zero-Day Flaw Under Active Attack

All posts, ThreatPost

Microsoft alerted the company to a security vulnerability in its Serv-U Managed File Transfer and Secure FTP products that a cyberattacker is using to target a “limited” amount of customers. Source: Read More (Threatpost)

Read More

[TheRecord] SEC fines three companies over hacked employee email accounts

The US Securities and Exchange Commission has fined three brokerage firms on Monday for neglecting to secure employee accounts, incidents that led to the exposure of their customers’ data. Cetera Advisor Networks LLC, Cetera Investment Services LLC, Cetera Financial Specialists LLC, Cetera Advisors LLC, and Cetera Investment Advisers LLC (collectively, the Cetera entities); Cambridge Investment Research Inc. […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.