NEW DELHI—Last week, the Indian Air Force issued an advisory to its personnel and their families to not use smartphones made by Chinese company Xiaomi Inc.
“It was not a dictate nor an order,” said wing commander Rochelle D’silva, a public relations officer for the Indian Air Force in an emailed statement.
When asked why the air force issued the warning, D’Silva said, “F-secure, [a] leading security company carried out a test on Xiaomi Redmi 1S, Xiaomi’s budget smartphone, and found that the phone was forwarding carrier name, phone number, IMEI (the device identifier) plus numbers from the address book and text messages back to Beijing.”
F-Secure, a Finland-based security company found that the information, besides being sent to servers in China, was being sent unencrypted, making it an easy target for hackers.
On Monday, Xiaomi issued a statement saying it plans to set up a data center in India by next year to move away from the Beijing data center and to complement the data centers in the U.S and Singapore where the data is currently being moved.
Xiaomi also tried to regain public trust by making its cloud-based messaging service, which the company says was the problem, opt-in rather than an opt-out so users can choose whether their messaging data is being sent at all.
F-secure later acknowledged that after this update, the phones that had disabled the cloud messaging app did not seem to be sending any data to remote servers.
In a facebook post, vice president of Xiaomi, Hugo Barra, wrote, “We take rigorous precautions to ensure that all data is secured when uploaded to Xiaomi servers and is not stored beyond the time required.”
But many cyber security experts are still concerned that this hasn’t fixed the true problem.
Sending Data to China
According to Rishi Kant, CEO of Secure Vision Lab Pvt. Ltd, a cyber security company based in New Delhi, Xiaomi phones have a backdoor in their firmware that lets user data be sent to servers in Beijing, regardless of what software updates the user makes.
Kant explains that companies use backdoor applications to steal users information so they can use that data for research and development to expand their markets, or share that data with a government for espionage purposes.
Around the world, Chinese companies have frequently been accused of espionage, and the thought of a Chinese company, even if it is a private one like Xiaomi, having access to so much user data is not something that sits well with many users.
Recently The Hacker News reported that a Taiwanese security expert was able to hack the Xiaomi website and gain access to millions of Xiaomi user accounts the company is allegedly storing.
He was set to present his findings at the Ground Zero Summit, a hacker conference in New Delhi in November, but his presentation was suddenly pulled “till Xiaomi investigates the data breach and the accusations made by the researcher,” the organizer told The Hacker News.
The security expert contacted The Hacker News and showed them a sample of his findings, which the website posted in an image with the personal information blurred out.
Xiami claimed in a statement, obtained by The Hacker News, that the findings of the researcher are “a hoax” and says it will pursue legal action.
India Data Center
Kant is not confident that having a data center in India would help with security, as Xiaomi would still likely monitor it.
“There’s no guarantee data will not go to China because it is a distributor server and that means it’ll be linked with servers in China. In India we don’t have a system to monitor it all the time,” he said.
“They [the Indian government] can start a manual based [monitoring] system, but for how long will they monitor it this way?” said Kant, who says India does not have the capability to do it electronically right now.
“The company [Xiaomi] is using this to brand itself in the Indian market. Once they are established it cannot be monitored all the time,” Kant warned.
Xiaomi in recent months has faced many allegations of security leaks. The Taiwanese government is currently investigating Xiaomi phones to see if they are a security threat and is expected to make a decision next month.