F-Secure: Xiaomi sends personal information to server unsolicited

Xiaomi would forward data on its sold phones, including the phone number and contacts on the device, to its servers. The Finnish security company F-Secure claims this on Friday after its own investigation.

The security researchers at F-Secure bought a Xiaomi RedMi 1S and performed some tasks with it, without making any changes to the device beforehand. For example, they introduced a SIM card, connected the phone to Wi-Fi and allowed the GPS location service. They also created a new contact, sent SMS and MMS messages and made a phone call.

During the operations, the researchers monitored the traffic of the aircraft. It turned out that the RedMi 1S sent the provider’s name, imei number and phone number directly to a server of the Chinese phone manufacturer. According to F-Secure, the device also forwarded the phone number of contacts, which came from the phone book and text messages, to Xiaomi.

F-Secure performed similar assignments when the researchers logged into Mi Cloud, Xiaomi’s cloud storage service. The telephone number and imei number were also forwarded. The Chinese also got their hands on the unique imsi number, which is normally shared as little as possible to make eavesdropping more difficult.

In a privacy statement, the Chinese Xiaomi says that when someone starts up a device for the first time, it indeed sends unique device information. In this way, a backup can be restored later if necessary. However, the manufacturer does not release anything about telephone numbers of contacts that are forwarded.