Lithuania’s Defense Ministry’s National Cyber Security Centre released a report this week discussing three smartphones. These devices were produced by OnePlus, Xiaomi, and Huawei. Each of these brands were included in the study due to their home base (China), and the fact that they’re selling phones in Lithuania. The results are of global importance, since we’re also talking about brands that sell smartphones around the world.
The Huawei smartphone in the study released this week was the Huawei P40 5G, and the OnePlus device was the OnePlus 8T 5G. Analyzation of the Huawei device found that the device’s official App Store had a security vulnerability in dealing with automatic redirection to a 3rd-party email system. The study found “no cyber security vulnerabilities” on the OnePlus device.
The Xiaomi device had some serious potential for not only security issues, but censorship through capture and transmission of “up to 61 parameters about the user’s actions on the phone.” In the Xiaomi Mi Browser (web browsing app on the phone in this analysis), a “Sensor Data API” tracked the following parameters (and more):
• Cookie Status,
• Search Optimization Switch
• Subscription
• User Tab Games
• User Tab News, User Newsfeed, First Enter NewsFeed Way
• Enhanced Incognito Switch, User Incognito Mode
• Personal Service Switch
• Clear History Switch
• Feature Report Switch
• History Sync
• Bookmark Sync
• No Track Switch
• Autocomplete Switch
• Browser Install Referrer
• APK Name
• EID
• Miui Region
• Log Mi Account
• Platform
• Experience Improve
• Feed Default Channel
• APP Boot, App Boot Third Party, First AppStart, First AppStart Third Party
• Protection Type
• Browser Ads
• Personalized Services, Miui Personalized
• Adblock Show Notification, Adblock Switch
• User Login, Facebook Notification, YouTube Signin
• User Click Interest
• User Push Agree
• User Checkbox 4G
• User Desktop Mode
• User Data Save Mode
• User Night Mode, User Dark Mode
• User Download Videos
• Icon Reddot Status
• Language Browser
• Log Mi Account
Analysis suggested that the Xiaomi device had the technical capability to “censor the content downloaded to it.” A list of keywords and phrases appear in the phone in a list in Chinese characters. Some examples of keywords and phrases included in the list (translated here to English):
• 89 Democracy Movement
• Islamic League
• Front of Religious Believers
• Free Tibet
• Women’s Committee
• Voice of America
• Palestine Liberation Organization
• People’s News
• Christian Charismatic Mission
This study showed data being sent to China from built-in apps like Security, Mi Browser, Cleaner, MIUI Package Installer, Themes, Music, and Downloads with “MiAdBlacklistConfig.”
“We found that the content filtering function was disabled on Xiaomi phones sold in Lithuania and did not perform content censorship, but the lists were sent periodically. The device has the technical capability to activate this filtering function remotely at any minute without the user’s knowledge and to start analyzing the downloaded content,” said Dr. Tautvydas Bakšys, researcher at the National Cyber Security Center at the Lithuanian Ministry of National Defence. “We do not rule out the possibility that the list of blocked words could be compiled not only in Chinese but also in Latin characters.”
Comments / 0