The news was reported by Gabi Cirlig, a Romanian cybersecurity researcher, owner of a Xiaomi smartphone, the Redmi Note 8. He spoke with Forbes to tell how his navigation data, his files and his photos would be collected and then sent to servers from Alibaba, rented by the Chinese smartphone maker.
Navigation data, but not only
Xiaomi is on the rise. The Chinese company plans to invest $ 7 billion in IoT, 5G, AI to continue to develop … However, a cybersecurity researcher could halt the frenzied development of the company. Gabi Cirlig believes that a large amount of data was collected without his knowledge. Xiaomi’s browser, installed by default on his smartphone, recorded all the websites visited, as well as the queries entered in the search engine.
ByteDance launches Viamaker, its video editing application for TikTok users
He then checked whether this data leak was possible with the search engines of Google and DuckDuckGo. The answer is yes. note that the tracing was effective despite the private mode activated. The navigation data is collected, but also all the tasks performed on the smartphone, outside the Internet. The problem would therefore not come from the Xiaomi search engine but directly from the manufacturer’s smartphone. The data would be sent to servers based in Singapore or Russia, despite domains based in Beijing.
Xiaomi, fourth seller of smartphones in the world
Andrew Tierney, another cybersecurity researcher decided to investigate following this first discovery. He made the same observation as his Romanian counterpart. Xiaomi, the fourth largest smartphone seller in the world behind Apple, Samsung and Huawei, would not respect the privacy of its users. The price of smartphones from this Chinese giant is actually lower than that of its competitors so the functionalities of the devices are almost similar. A low cost for Xiaomi owners which could be accompanied by another price to pay: the protection of their privacy.
After a security breach revealed on M365 scooters from the Chinese manufacturer, Xiaomi smartphones could therefore also be a sensitive point. If the problem was raised for the Redmi Note 8 model, the researchers think this flaw could be verified on many other smartphones from the manufacturer. In particular the Xiaomi MI 10, Xiaomi Redmi K20 and Xiaomi Mi MIX 3 devices. Gabi Cirlig confirmed that they all had the same browser code as the Redmi Note 8. A sign that suggests that these smartphones might have the same privacy issues.
The transferred data would also not be encrypted
Another problem: if Xiaomi claims that the data transferred to its servers is encrypted, Gabi Cirlig quickly succeeded in proving the contrary. It only took seconds to transform scrambled data into readable information. He is pointing out that : “My main privacy concern is that the data sent to Xiaomi’s servers can be very easily read, despite what the company says”.
Xiaomi has responded to these accusations. A spokesperson says: “The claims that emerge from this investigation are false. Privacy and security are our two main concerns. We strictly follow local laws and regulations on user data privacy issues ”. The company nevertheless recognized that some information was well collected. In particular the navigation data. Anonymous data not linked to an identity. Xiaomi says its users have consented to this follow-up.