Lithuania’s Deputy Defense Minister Margiris Abukevicius has recommended that consumers “do not buy new Chinese cell phones”. Users should also try to “get rid of” already purchased smartphones from China as quickly as possible. The government official said this, according to agency reports, on Tuesday when the Lithuanian cybersecurity agency presented an analysis of three 5G phones from Chinese manufacturers, which were the Huawei P40, the Xiaomi Mi 10T and the OnePlus 8T.

The national cybersecurity center carried out the investigation, according to Abukevicius, “to ensure the safe use of 5G devices and software in Lithuania”. Smartphones available in the country were therefore selected, which had been assessed “by the international community as somewhat risky”.

Vulnerabilities in Xiaomi and Huawei

During the inspection, the experts found “four major cybersecurity threats”, writes the Ministry of Defense . In two cases it was about preinstalled apps, one about data protection and the other time about “a possible violation of the principle of freedom of speech”. Three of the weaknesses and problems were discovered in Xiaomi mobile phones, and one vulnerability affected Huawei. The analysts did not find anything with the OnePlus device.

With the Huawei P40, the testers criticize the fact that the official, manufacturer-installed App Store AppGallery automatically redirects users to third-party online shops if they do not find what they are looking for. An anti-virus scanner hit some of the apps on sale there, while others were identified as “infected”.

Censorship inside

When testing the Xiaomi device, the experts said they discovered a technical function that could censor the content of downloaded content. Several apps on the smartphone, including the pre-installed Mi-Browser, regularly download a list of forbidden keywords from the manufacturer. If the content that the user downloads contains terms from this list, he will be automatically blocked.

At the time of the investigation, the list is said to have included 449 keywords and combinations in Chinese characters, it is said in the report . These included “Freedom for Tibet”, “America’s Voice”, “Democracy Movement” and “Long Live Democratic Taiwan”.

Filter function deactivated in Lithuania

“We found that the content filtering function in the Xiaomi cell phones shipped to Lithuania is disabled and not censored,” said Tautvydas Bakšys, head of the cybersecurity center’s innovation department. The lists would continue to be updated regularly. The device is “technically able to activate the function at any time remotely and without the permission of the user and to begin censoring the downloaded content.” It is not ruled out that the list of forbidden keywords could also be created with Latin letters.

According to the analysis, activating the cloud storage service for the Mi 10T also requires sending an encrypted SMS for registration, which is not stored on the device. The investigators are not able to “read the encrypted message and verify its content,” complained Bakšys. The automated transmission of messages and the content hidden by the manufacturer represented a potential security threat “as they enable the collection and transfer of non-identifiable personal data to servers in third countries”.

The experts were also bothered by the fact that the MI browser uses sensor data for tracking in addition to Google Analytics. This would collect information on 61 functions about user activities on the device, which in turn regularly calls home. Bakšys assumes an “excessive” data collection. There is also a risk that the numerous statistical information would in turn be sent via an encrypted channel to Xiaomi servers in third countries, “which do not adhere to the General Data Protection Regulation”.

(axk)