[Slashdot] - Xiaomi Found Recording 'Private' Web and Phone Use, Researchers Claim

[Admin]

According to an exclusive report from Forbes, cybersecurity researcher Gabi Cirlig discovered that his Xiaomi Redmi Note 8 smartphone was watching much of what he was doing and sending that data to remote servers hosted by Chinese tech giant Alibaba, which were ostensibly rented by Xiaomi. From the report: The seasoned cybersecurity researcher found a worrying amount of his behavior was being tracked, whilst various kinds of device data were also being harvested, leaving Cirlig spooked that his identity and his private life was being exposed to the Chinese company. When he looked around the Web on the device's default Xiaomi browser, it recorded all the websites he visited, including search engine queries whether with Google or the privacy-focused DuckDuckGo, and every item viewed on a news feed feature of the Xiaomi software. That tracking appeared to be happening even if he used the supposedly private "incognito" mode. The device was also recording what folders he opened and to which screens he swiped, including the status bar and the settings page. All of the data was being packaged up and sent to remote servers in Singapore and Russia, though the Web domains they hosted were registered in Beijing. Meanwhile, at Forbes' request, cybersecurity researcher Andrew Tierney investigated further. He also found browsers shipped by Xiaomi on Google Play -- Mi Browser Pro and the Mint Browser -- were collecting the same data. Together, they have more than 15 million downloads, according to Google Play statistics. Cirlig thinks that the problems affect many more models than the one he tested. In response to the findings, Xiaomi said, "The research claims are untrue," and "Privacy and security is of top concern," adding that it "strictly follows and is fully compliant with local laws and regulations on user data privacy matters." A spokesperson did however confirm it was collecting browsing data, claiming the info was anonymized and users had consented to it. Cirlig and Tierney pointed out that Xiaomi "was also collecting data about the phone, including unique numbers for identifying the specific device and Android version," reports Forbes. "Cirlig said such 'metadata' could 'easily be correlated with an actual human behind the screen.'" The researchers also say they found their Xiaomi apps to be sending data to domains that appeared to reference Sensor Analytics, which Xiaomi says "provides a data analysis solution for Xiaomi," adding that that the collected anonymous data "are stored on Xiaomi's own servers and will not be shared with Sensor Analytics, or any other third-party companies."

Read more of this story at Slashdot.

View the full article