(IAF) had issued an advisory asking its personnel and their families not to use Xiaomi smartphones on account of ‘spying’.
In an alert issued to air warriors and their family members, the IAF has claimed that smartphones and note books manufactured by Xiaomi have been found to send users’ private data from these devices to servers based in Beijing.
IAF asks personnel not to use Xiaomi phones
IAF personnel and their families have been asked to desist from using Chinese ‘Xiaomi Redmi 1s’ phones as these are believed to be transferring data to their servers in China and could be a security risk.
These messages doing rounds heavily online state that IAF (Indian Air Force) has warned its personnel and their family members not to use the Chinese Xiaomi Smartphones as they are believed to be transferring data to its headquarter servers in Beijing, China, and could be a security risk. Let us analyze the origin and authenticity of these claims.
Origin of Claim & Concerns
According to a report published in The Sunday Standard (newindianexpress.com) on 19th Oct 2014, IAF has issued the aforementioned advisory based on information obtained from the Indian Computer Response Team (CERT-In), which also confirmed that Xiaomi phones send back data to China. The report raised concerns that vital defense information can be sent away, compromising country’s security.
IAF also mentioned security concerns raised by security application manufacturer F-Secure, after they examined Xiaomi Redmi 1S to reveal that all data from the phones is sent to servers in China. The report published on 7 August 2014 suggested that details like customer name, phone number, phone numbers in address book, carrier name, IMEI number (the device identifier) are sent to some suspicious IP address in Beijing.
In response to the reports circulating online, Xiaomi released a statement saying their Smartphones are safe and the Indian Air Force had issued a notice based on a two-month-old report by F-Secure.
After F-Secure raised privacy concerns over Xiaomi Smartphone use, on 10 August 2014 Xiaomi’s vice president, Hugo Barra mentioned in a G+ blog post that an article in Taiwan and a related report by F-Secure raised privacy concerns about Xiaomi devices sending phone numbers to Xiaomi’s servers. He explained that the concerns refer to the MIUI Cloud Messaging, a free service that Xiaomi offers as part of its MIUI operating system. Following the security concerns raised, he said, the company has decided to make MIUI Cloud Messaging an opt-in service and no longer automatically activates users. After the software upgrade on 10 Aug. 2014 to implement the change, new users or users who factory reset their devices can enable the service by visiting “Settings > Mi Cloud > Cloud Messaging” from their home screen or “Settings > Cloud Messaging” inside the Messaging app. Notably, Hugo Barra also apologized for any concern caused to users.
Migrating Services and Data
On 22 October 2014, Hugo Barra posted Xiaomi’s decision to move its data centers and servers outside of China — to improve performance of their services and allow better protection. Xiaomi has partnered with Amazon Web Services for the same, the process expected to be completed by the end of 2014. Moreover, for the Indian consumers’ fear over security of their data, the company said they are planning to launch a local data centre in India in 2015 to serve the needs of Indian customers.
F-Secure Tests Again
Following the software patch from Xiaomi, on 14 August 2014, F-Secure published another extended test conducted on the MIUI app that was kept off by default and they did not see any data being sent out from the phone. However, after activating the cloud messaging function and logging into the Mi Cloud, they saw base-64 encoded traffic being sent to https://api.account.xiaomi.com. Detailed report here.
On 9 October 2014, The China Post (chinapost.com.tw) published an article according to which, the National Communications Commission (NCC, China) has reported that Xiaomi Smartphones might be sending away personal data to a Chinese sever without user consent. According to NCC, Xiaomi phones provide a free service that automatically downloads anti-virus software from a Chinese server, which scans the device and sends the result and data back to the server. NCC said that Xiaomi does not explicitly tell its customers about this operation, so it constitutes an information security breach.
The NCC said that they will continue testing the Xiaomi phones, and shall send the results to the public as well as Xiaomi Corp. to verify test results.
Hoax or Fact:
Mixture of hoax and facts.
Indian Air Force Issues Security Warning; Xiaomi Clears the Air
Xiaomi Smartphones Might Be Sending Personal Data to Chinese Servers without User Consent
Xiaomi to set up data centre to address security concerns