The Lithuanian National Cybersecurity Center claims to have found evidence for a feature in Xiaomi phones that would recognize and block terms such as “liberate Tibet” and “long live Taiwanese independence.” This system would have been disabled in Europe.
The Lithuanian National Cyber Security Center NKSC says it has researched the Xiaomi Mi 10T 5G and found three security risks in it. One of those security issues revolves around the ability to censor content. Certain apps, including the Mi Browser, would regularly download a list of blocked terms. If a user were to “send content with such a banned word, the device will block that content.”
Presumably the NKSC means that if users search for terms such as ‘liberate Tibet’, for example, the browser would block this. Now there would be 449 terms in this list, such as “Democratic Movement” and “Voice of America.” This content filtering feature is disabled on Xiaomi phones sold in Lithuania. At the same time, Xiaomi would have the technical possibility to enable this function remotely without the user’s knowledge. The list now consists of Chinese terms, although according to the NKSC it could just as well consist of Latin script.
The other two security vulnerabilities would involve the risk of personal data leaking. For example, the Mi Browser would not only use Google Analytics, but also the Chinese Sensor Data. Sensor Data would send data about a user’s actions on a phone within 61 parameters.
According to the NKSC, this concerns redundant information that is sent to encrypted channels on Xiaomi servers in countries ‘where the GDPR is not active’. The second privacy risk relates to a text message sent from a smartphone when a user wants to use the Xiaomi Cloud service. Researchers from the NKSC were unable to read this message, which, according to the NKSC, poses a privacy risk, because it is not clear what data the smartphone sends.
The NKSC also examined the Huawei P40 5G and says the app store of this smartphone sends users to third-party app stores that contain malware programs that masquerade as antivirus apps. Finally, the center also examined the OnePlus 8T 5G, but says it has not found any security risks.
The center says it selected these three phones because they are 5G smartphones that have been on sale in Lithuania since last year and because they have been labeled as high-risk phones within the international cybersecurity community. Based on the NKSC report, the Lithuanian Defense Minister advises consumers to throw away Chinese smartphones and not buy them anymore, Reuters writes. Xiaomi has not yet responded to the report, according to the news agency. Huawei is said to have said that its smartphones do not send user data to external servers.
Update, Monday 27-9: Xiaomi says it will hire an outside agency to investigate the alleged censorship function.
Xiaomi Mi 10T