Are Xiaomi, Huawei And OnePlus A Security Risk?

Prologue: Lithuania urges people to throw away Chinese Phone!

Our Finding:

Few of the major Chinese Mobile Phone manufacturers, whose phones are being sold in Indian market: Xiaomi is the largest Chinese Mobile Brand in India, headquartered in China and has factories in India (TN, Andhra Pradesh, UP) commanding roughly 30% of market share. Oppo, OnePlus, Realme, Vivo having headquarter in China registered as BBQ Electronics & having a manufacturing facility in Uttar Pradesh. Huawei headquartered in China having a manufacturing facility in Tamil Naidu through Flex Industries.

With the above illustration close to 68% of Mobile phones sold in India are having Chinese roots. It’s being proclaimed that though they are China headquartered but are being manufactured in India & we should purchase the Make in India Products. These handsets sets are very pocket friendly for all segments of the population. However, we have been ignoring very serious & alarming aspect which is directly related to Cyber Terrorism, Frauds & shall ultimately lead to Cyber Warfare. More importantly with 5G is about to be launched this issue is going to be far more serious.

How do these Chinese Phone works: As per the recent research done in Lithuania lets have a look how these model works in terms of how they communicate with their HQ & what sort of data they transmit. This shall give a fair amount of idea how serious it is!

Decomposition analysis performed on mobile devices manufactured by Huawei, Xiaomi and

OnePlus identified 10 instances of increased cybersecurity risk. This cybersecurity assessment analyses 4 cybersecurity risks related to the general security of factory-installed applications in the devices, threats of leakage of personal data, and restrictions on freedom of expression. It is planned to describe in detail the other cybersecurity risks identified in this comprehensive study, and to present the assessment of such risks by the end of 2021. This analysis examines issues related to the security of personal data.

Xiaomi Backend Network Infra & Communication

Analysis of decompiled software and data flows showed that Mi Browser uses two data

collection modules: Google Analytics and Sensors Data. Sensors Data is a platform of Chinese origin, in functionality close to Google Analytics. According to the Sensors Data company, it has more than1,500 customers, including some of the largest corporations in  the People’s Republic of China, such as China Telecom, Baidu, CYTS, Sichuan Airlines, etc.

Google Analytics is an analytics platform for programmers or administrators to access

information allowing them to evaluate the use of applications in the iOS, Android or web

environments. Google Analytics automatically generates an event log allowing evaluation of the performance of an application. It is worth noting that developers have the technical ability to select the parameters to be analysed, and to set the depth of the analysis of such parameters.

It was found that this module can collect data about user browsing, clicks, etc., and send

information for possible analysis to Google servers. It should be noted that these modules are

activated at the time of initial switching-on of the device, upon consent to participate in the Xiaomi User Experience programme. The Default MI Browser collects 61 parameters through the installed sensors in the handset

The decrypted content of data sent by Xiaomi’s phone to Sensors Data servers

located in Singapore. Data sent for analysis: application version, application name, current region, device manufacturer, etc.

Sensors Data was found to be sent to the address https://sa.api.intl.miui.com. provides information that characterises the analytical data transmitted over the network to servers located in Singapore. The collected statistics are sent through an encrypted channel to Xiaomi servers in Singapore, which is a country not covered by the General Data Protection Regulation. Potentially excessive collection and use of analytical data can be said to pose a threat to the privacy of personal data.

Information characterizing the analytical data transmitted by the Xiaomi device through the network to Google Analytics servers.

Based on the findings, it can be said that Xiaomi collects a relatively large amount of

information about the processes running on the device, the behaviour of installed software packages, the actions performed by users and the configuration parameters of applications. Two analytics systems, Sensors Data and Google Analytics, are used to implement this process. An overview of sources found that Xiaomi devices collect a wider range of data compared to other manufacturers of mobile devices. Potentially excessive collection and use of analytical data can be said to pose a threat to the privacy of personal data. This could be one of the reason, why lately so many Chinese Loan Fraud Apps have been mushrooming.

On Xiaomi devices, to connect to the cloud, it is necessary to register a SIM card. Sent

messages are not displayed on the phone. The risk of leakage of user data. It has been established that the registration of a telephone number is carried out regardless of how

the user chooses to be authenticated, either by phone number or by e-mail address. It is important to note that the sent encrypted SMS message and its addressee are not visible to the user. At the time of the analysis, after disabling the functionality of the Xiaomi Cloud service, the sending of messages was not observed. It is important to note that if the SIM card is not installed on the device at the time of registration, the registration process is terminated and the device displays an error message.

Before the device sends the phone number registration SMS message, the device contacts the general server located in Singapore, the address of which is api.account.xiaomi.com (IP address:161.117.97.141).

Conclusion: It’s a serious food for thought, if we must use these sorts of handsets, with so much on stakes? Concerned competent authorities must take this into account, while giving them the license.

In next article, we shall try to decipher, how Huawei Phones work.

Content Credit : https://bit.ly/2XWChsq

Case Study by: RED Team of Armantec, led by Shamsher Bahadur – Cyber Security Practice Head.

This Article has been Submitted by Armantec Systems Pvt Ltd (www.armantecsystems.com), a Noida Based Threat Intelligence & RED Teaming Consulting Firm, with the prime focus on custom Ransomware Attacks Solution for Critical Information Infrastructures (CIIs).