Heimdal
article featured image

Contents:

Researchers warn that Xiaomi devices are vulnerable to over 20 critical issues affecting applications and system components.

Security specialists notified the vendor regarding the flaws at the end of April 2023. For the moment, Xiaomi didn’t manage to fix all of them.

What are the vulnerable Xiaomi apps?

The Xiaomi vulnerabilities impact applications that common users access every day. Scrolling through photos, watching a video, or connecting to another device through Bluetooth can compromise the user’s data. According to TheHackerNews, the list of flawed apps on Xiaomi devices includes:

  • Gallery (com.miui.gallery)
  • GetApps (com.xiaomi.mipicks)
  • Mi Video (com.miui.videoplayer)
  • MIUI Bluetooth (com.xiaomi.bluetooth)
  • Phone Services (com.android.phone)
  • Print Spooler (com.android.printspooler)
  • Security (com.miui.securitycenter)
  • Security Core Component (com.miui.securitycore)
  • Settings (com.android.settings)
  • ShareMe (com.xiaomi.midrop)
  • System Tracing (com.android.traceur), and
  • Xiaomi Cloud (com.miui.cloudservice)

What risks do Xiaomi vulnerabilities pose

Researchers warn that four of the Xiaomi vulnerabilities reside in the Settings apps. This enables hackers to:

  • bind services to any app
  • read Wi-Fi and Bluetooth data
  • access system files
  • see Xiaomi account details, including phone numbers

Another set of four flaws impacts GetApps, Xiaomi’s App Store-like service. Hackers exploiting them would lead to memory corruption and exposing Xiaomi session tokens, for example.

Althoug researchers reported the memory corruption issue in April 2023, the developer didn’t yet release a patch.

This vulnerability comes from the LiveEventBus library. We informed the developer more than a year ago, but apparently, they still haven’t read our message and have not released any updates to the library.

Source – Researchers’ Report

However, Xiaomi did patch some of the reported vulnerabilities, so users should update their devices to latest versions as soon as possible.

Safety concerns in Xiaomi devices

During the past years, security researchers raised a series of security concerns regarding Xiaomi devices.

Here’s a brief timeline:

2014 – Security researchers reported that Xiaomi smartphones were sending user data, like phone numbers and text messages, to remote servers in China. Xiaomi updated its software so users could opt out of data collection.

2016 – A mobile security company revealed that pre-installed apps on Xiaomi devices could introduce security vulnerabilities.

2018 – Researchers showed that Xiaomi’s browsers collected data about users’ website visits. Using the browsers in “incognito” mode did not guarantee users’ privacy. Xiaomi released an update to its browsers to let users disable data aggregation in incognito mode.

2020 – Forbes revealed that Xiaomi was collecting data on its users, including detailed browser and phone usage data. The data ended up on servers in Russia and Singapore. Xiaomi claimed anonymizing the data.

2021 – The Lithuanian government advised its citizens to avoid using Xiaomi phones. Why? Because of the censorship capabilities embedded in the MIUI operating system.

2021 – In January, the U.S. Department of Defense under the Trump administration added Xiaomi to a military blacklist, as it associated with the Chinese military. They didn’t ban Xiaomi but prohibited American investors from purchasing or holding the company’s securities.

In May 2021, Xiaomi was removed from this blacklist.

2023 – Edinburgh and Dublin researchers proved that Xiaomi devices were sending large amounts of Personally Identifiable Information (PII) to the device vendor and service providers like Baidu and Chinese mobile network operators.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.

Author Profile

Livia Gyongyoși

Communications and PR Officer

Livia Gyongyoși is a Communications and PR Officer within Heimdal®, passionate about cybersecurity. Always interested in being up to date with the latest news regarding this domain, Livia's goal is to keep others informed about best practices and solutions that help avoid cyberattacks.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE