Xiaomi Security issues.

Search This thread
By:
Advanced…
zelendel

zelendel

Senior Member
Aug 11, 2008
23,360
20,609
OnePlus 6T
OnePlus 9
Xiaomi Security issues. Xiaomi firmware has multiple backdoors So I've basically got myself in this sh*t because lack of care.. Until it pop'd and hit the highlights.

And now straight to the point. It doesn't f*ckin matters if you had a fw or not. As the backdoors are embedded in ROOT system processes.
And those where obviously white-listed as i didn't think of a nasty Chinese guy sitting in it calling back home. My friend who got the same phone found the article as i was having my vacation for a bit, so when i found out i did a bit a research of course on my device. After finding all this i e-mail'd him it and he posted it on the Xiaomi European forums. Guess what happened, it got deleted. So they know damn good what they're doing.

Quote:
When you purchase Xiaomi products or services, we’ll collect relevant personal information, including but not limited: delivery information, bank account, credit card information, bill address, credit check and other financial information, contact or communication records.
Quote:
Originally Posted by OP

Music app(?) connects to:
202.173.255.152
2012-12-01 lrc.aspxp.net
2012-12-01 lrc.feiyes.net
2012-12-01 w.w.w.616hk.com
2012-12-01 w.w.w.hk238.com
2012-12-01 w.w.w.lrc123.com

123.125.114.145
2013-11-27 tinglog.baidu.com
1/53 2014-07-02 12:51:01 hxxp://tinglog.baidu.com

Latest detected files that communicate with this IP address
Latest files submitted to VirusTotal that are detected by one or more antivirus solutions and communicate with the IP address provided when executed in a sandboxed environment.

3/43 2014-07-08 07:39:24 facb146de47229b56bdc4481ce22fb5ec9e702dfbd7e70e82e 4e4316ac1e7cbd
47/51 2014-04-28 09:25:27 091457f59fc87f5ca230c6d955407303fb5f5ba364508401a7 564fb32d9a24fa
24/47 2014-01-08 08:19:43 3cf0a98570e522af692cb5f19b43085c706aa7d2f63d05469b 6ac8db5c20cdcd
21/48 2013-12-02 15:15:45 7e34cb88fc82b69322f7935157922cdb17cb6c69d868a88946 8e297257ee9072
19/48 2013-12-01 20:02:32 bce4bd44d3373b2670a7d68e058c7ce0fa510912275d452d36 3777f640aa4c70

Latest URLs hosted in this IP address detected by at least one URL scanner or malicious URL dataset.
1/53 2014-07-02 12:47:57 hxxp://dev.baidu.com/

Android-system ANT HAL Service(Framework_ext.apk/jar) connect to:
42.62.48.207
VirusTotal's passive DNS only stores address records. The following domains resolved to the given IP address.
2014-04-28 app.migc.wali.com
2014-07-12 app.migc.xiaomi.com
2014-05-30 gamevip.wali.com
2014-05-30 log.wlimg.cn
2014-04-21 mitunes.game.xiaomi.com
2014-04-30 oss.wali.com
2014-05-17 p.tongji.wali.com
2014-07-13 policy.app.xiaomi.com

Latest detected URLs
Latest URLs hosted in this IP address detected by at least one URL scanner or malicious URL dataset.
1/58 2014-08-13 07:10:49 hxxp://policy.app.xiaomi.com/cms/interface/v1/checkpackages.php
1/58 2014-08-10 00:46:35 hxxp://policy.app.xiaomi.com/
1/53 2014-07-02 12:49:59 hxxtp://oss.wali.com

Messages(Mms.apk) connect to (it literary calls back home)
54.179.146.166
2014-08-12 api.account.xiaomi.com
2014-07-26 w.w.w.asani.com.pk

What it does? It sends phone numbers you call to, send messages to, add etc to a Resin/4.0.13 java application running on a nginx webserver to collect data. Checkpackages, embedded system process/app posts all installed apps to a Tengine a/k/a nginx webserver cms.

URL: hxxtp://api.account.xiaomi.com:81/pass/v3
Server: sgpaws-ac-web01.mias
Software: Tengine/2.0.1 | Resin/4.0.13

URL: hxxp://policy.app.xiaomi.com:8080/cms/interface/v1/
Server: lg-g-com-ngx02.bj
Software: Tengine | Resin

Bottom line
They don't give a single damn about your data.. All sent in plain text.

For messages APK (Mms.apk)
I don't believe it needs those permissions for normal functionalities, this is only for the extra feature let's call it bug.

android.permission.SEND_SMS_NO_CONFIRMATION
android.permission.GET_ACCOUNTS
android.permission.WRITE_EXTERNAL_STORAGE
android.permission.ACCESS_NETWORK_STATE
android.permission.CHANGE_NETWORK_STATE
android.permission.INTERNET
miui.permission.SHELL
android.permission.GET_TASKS
android.permission.CAMERA


Some code ... i also attached java classes and smali dalvik jvm bytecode..

Code:



RELATED
http://apkscan.nviso.be/report/show/...0b623da712918f
http://lists.clean-mx.com/pipermail/...14/072661.html

OTHER SOURCES
http://www.newmobilelife.com/2014/08...-china-server/
http://www.htcmania.com/showthread.php?p=14730859


Main post and more info. All credits go to the OP

http://xdaforums.com/gene...oords-t2847069
 
  • Like
Reactions: akshayAXE, kemekelen, sourabh16 and 6 others
L

linr76

Senior Member
Feb 28, 2014
133
53
Zürich
zelendel said:
Xiaomi Security issues. [/URL]
Click to expand...
Click to collapse

dude that is sooo old cheese already. you really seem to have a personal problem with xiaomi?

go read a bit:
http://www.cnet.com/news/xiaomi-makes-cloud-messaging-opt-in-amid-privacy-concerns/
http://www.androidcentral.com/hugo-barra-responds-xiaomi-privacy-concerns

Xiaomi has added encryption to the communication in an updated firmware, and the cloud service is now opt-in.

while i will say that unencrypted transfer is uncool, most of the stuff transferred (or actually all) has to do with their cloud service.
Apple & Google are doing the same stuff, i bet you Samsung does also.
so what is the big deal here? that it was not encrypted? or that it sends something in the first place?
 
  • Like
Reactions: datagutt
zelendel

zelendel

Senior Member
Aug 11, 2008
23,360
20,609
OnePlus 6T
OnePlus 9
linr76 said:
dude that is sooo old cheese already. you really seem to have a personal problem with xiaomi?

go read a bit:
http://www.cnet.com/news/xiaomi-makes-cloud-messaging-opt-in-amid-privacy-concerns/
http://www.androidcentral.com/hugo-barra-responds-xiaomi-privacy-concerns

Xiaomi has added encryption to the communication in an updated firmware, and the cloud service is now opt-in.

while i will say that unencrypted transfer is uncool, most of the stuff transferred (or actually all) has to do with their cloud service.
Apple & Google are doing the same stuff, i bet you Samsung does also.
so what is the big deal here? that it was not encrypted? or that it sends something in the first place?
Click to expand...
Click to collapse

First off do I have issues with them? Sure most here do but that is a whole other matter.

This was brought to attention by another user. Had you read the post you would have known that.

The fact that they record your bank account info is cause for further investigation.

I just posted it here for users to know and look into. In the end it doesn't matter to me as Ill never use their device or OS.
 
  • Like
Reactions: sprite048
L

linr76

Senior Member
Feb 28, 2014
133
53
Zürich
Ok I get it. No discussion will come of this. Apple is doing the same and that's all right since they are 'mericans. Totally cool.

Sent from my MI 3W using Tapatalk
 
pkb_always4u

pkb_always4u

Senior Member
Nov 24, 2010
540
141
Varanasi, India
Same issue, blocked me in MiUi forum!

zelendel said:
No it's not. If we were and iOS forum. Then we would be calling them out as well.
Click to expand...
Click to collapse

I had noticed the same security issues and data leaks by Xiaomi device (note is not just MiUi but whole system) and showed them proofs, even wrote to Hugo but just after seeing my proofs they blocked me in their forum. I do use MI3 but miss the resources they have in forum. Anyway, I am just using the device without DATA or firewall app if need DATA. Hope they had played fairly with users.

Problem is deeper than this. The users instantly start screaming any one who says this mobile has security leaks (e.g me) ad asks for proofs, once I post the proofs they dont accept it and raise as whole but they get their own way to download resources from MiUi forum. I am alone but I wont surrender.
 
X

xiaohan

Senior Member
Nov 29, 2010
92
9
pkb_always4u said:
I had noticed the same security issues and data leaks by Xiaomi device (note is not just MiUi but whole system) and showed them proofs, even wrote to Hugo but just after seeing my proofs they blocked me in their forum. I do use MI3 but miss the resources they have in forum. Anyway, I am just using the device without DATA or firewall app if need DATA. Hope they had played fairly with users.

Problem is deeper than this. The users instantly start screaming any one who says this mobile has security leaks (e.g me) ad asks for proofs, once I post the proofs they dont accept it and raise as whole but they get their own way to download resources from MiUi forum. I am alone but I wont surrender.
Click to expand...
Click to collapse

I don't think the phone is released in Europe yet? So if you have problem with the software,flash with your own OS build or use another phone. The government tried to push everyone using true identity in case there is any cyber crime happens. Plus, did CIA,NSA or any government agency tell you when they search through your personal data? I doubt.

Sent from my HTC One using XDA Free mobile app
 
pkb_always4u

pkb_always4u

Senior Member
Nov 24, 2010
540
141
Varanasi, India
xiaohan said:
I don't think the phone is released in Europe yet? So if you have problem with the software,flash with your own OS build or use another phone. The government tried to push everyone using true identity in case there is any cyber crime happens. Plus, did CIA,NSA or any government agency tell you when they search through your personal data? I doubt.

Sent from my HTC One using XDA Free mobile app
Click to expand...
Click to collapse
What? Brother I am from India. To clear my situation more My banker sends me a highly secured one time password through message each time I try to access their online services. Now this MI3 is leaking (have proofs) and redirecting SMS (with one access notification which is not clear enough) its a security breach and case of international cyber crime. But in India, politicians has nothing to do with such issues, officers have "more important" things to do and Banker said me to change my mobile. So such is the case when you are in not developed country. Here even if some gets killed then police comes after all has been settled down let alone a security breach. It just and just a very "minor" or not an issue at all.
 
X

xiaohan

Senior Member
Nov 29, 2010
92
9
pkb_always4u said:
What? Brother I am from India. To clear my situation more My banker sends me a highly secured one time password through message each time I try to access their online services. Now this MI3 is leaking (have proofs) and redirecting SMS (with one access notification which is not clear enough) its a security breach and case of international cyber crime. But in India, politicians has nothing to do with such issues, officers have "more important" things to do and Banker said me to change my mobile. So such is the case when you are in not developed country. Here even if some gets killed then police comes after all has been settled down let alone a security breach. It just and just a very "minor" or not an issue at all.
Click to expand...
Click to collapse

You know once you use a public service ,there is no privacy right? People can spy on you using your cellphone,not even a smart one and listend to whatever youare talking about next to your phone even it's off as long as the battery is not taken off. What does this mean to your bank's highly secured one off password for your online banking?

Just use another one if you are not happen with it. E.g. iPhone which slightly record your real time geo information since iOS7 update without telling the users and even theIR staff don't know anything about it.

Sent from my MI 3C using XDA Free mobile app
 
pkb_always4u

pkb_always4u

Senior Member
Nov 24, 2010
540
141
Varanasi, India
xiaohan said:
You know once you use a public service ,there is no privacy right? People can spy on you using your cellphone,not even a smart one and listend to whatever youare talking about next to your phone even it's off as long as the battery is not taken off. What does this mean to your bank's highly secured one off password for your online banking?

Just use another one if you are not happen with it. E.g. iPhone which slightly record your real time geo information since iOS7 update without telling the users and even theIR staff don't know anything about it.

Sent from my MI 3C using XDA Free mobile app
Click to expand...
Click to collapse
Have your heard of "boiling water and frog's" story? I already said we dont raise our voice against such crimes adjust ourselves saying "ohh very minor", "doesnt affect me much" or "others do it too". Just show me that Apple's product steals your SMS and I will agree with you, if you cant then either raise your voice with me or just get boiled like a frog in adjusting.
 
X

xiaohan

Senior Member
Nov 29, 2010
92
9
This is a technology forum, politics problem is not interested here I guess. Surely, sending sensitive data back to the server initially was suspicious,but the security issue has been patched,if you have a lot of security concern, don't use a smart phone.

Sent from my HTC One using XDA Free mobile app
 
  • Like
Reactions: ramanvemman and turlulu
R

ramanvemman

Senior Member
Sep 2, 2011
53
8
Kochi
I use a Mi3 in India

Well if you're online chunks of your data is always going places you don't know. AFAIK, India too has a PRISM like setup and your calls, call logs & SMS are stored. No idea how much data is shared by companies. Seems like people believe that only in US & Europe you're data is used without your knowledge.

The US based companies came public on data collection thanks to Mr.Snowden only.

Last week a US court ordered Microsoft to disclose data in their servers in Europe.

If you're concerned about privacy don't use smartphones. Or don't use a phone at all. Safest way keep your privates stuff private. Don't save those nude pics on phone or cloud or anything connected. Use long complex passwords, encrypt.



Sent from my MI 3W using XDA Free mobile app
 
zelendel

zelendel

Senior Member
Aug 11, 2008
23,360
20,609
OnePlus 6T
OnePlus 9
ramanvemman said:
I use a Mi3 in India

Well if you're online chunks of your data is always going places you don't know. AFAIK, India too has a PRISM like setup and your calls, call logs & SMS are stored. No idea how much data is shared by companies. Seems like people believe that only in US & Europe you're data is used without your knowledge.

The US based companies came public on data collection thanks to Mr.Snowden only.

Last week a US court ordered Microsoft to disclose data in their servers in Europe.

If you're concerned about privacy don't use smartphones. Or don't use a phone at all. Safest way keep your privates stuff private. Don't save those nude pics on phone or cloud or anything connected. Use long complex passwords, encrypt.



Sent from my MI 3W using XDA Free mobile app
Click to expand...
Click to collapse

It is known all countries do this. This issue is what these country the info goes to.
 
X

xiaohan

Senior Member
Nov 29, 2010
92
9
Hey,if you have problem, don't use it. Not posting any xiaomi product forums, I guess you don't own all the models you posted in the forum to.

I believe people come to here are not idiot. You mentioned the OS has issue you have concerns is enough, people make their own judgement and decisions.


Sent from my HTC One using XDA Free mobile app
 
R

raihan4

Senior Member
Mar 27, 2013
67
3
Been a national news for us android lovers here in Indonesia. Luckily enough, i never bought their products (quite popular here). OP, you sounds like you're really against Xiaomi, though. You ever been in something with them?
 
jothiprasad1984

jothiprasad1984

Member
Nov 29, 2014
5
2
Xiaomi is an arrogant company. Until now they have not released the kernel for mi3 despite of Barra's commitment. All their forum threads so stupid like "give ideas and win bunny" "give suggestions and win a fcking phone". MIUI will never ever ever get stable. It follows iOS design principles. When I gave a negative feedback, I was banned from miui forum. Freakingly selfish mindset stupid copycat company.

Sent from my MI 3W using XDA Free mobile app
 

Attachments

  • 1417276012819.jpg
    1417276012819.jpg
    101.4 KB · Views: 940
  • Like
Reactions: Ank_S
TevicTT

TevicTT

Senior Member
Aug 4, 2011
59
11
jothiprasad1984 said:
Xiaomi is an arrogant company. Until now they have not released the kernel for mi3 despite of Barra's commitment. All their forum threads so stupid like "give ideas and win bunny" "give suggestions and win a fcking phone". MIUI will never ever ever get stable. It follows iOS design principles. When I gave a negative feedback, I was banned from miui forum. Freakingly selfish mindset stupid copycat company.

Sent from my MI 3W using XDA Free mobile app
Click to expand...
Click to collapse
Kernel Source has been realeased today
https://github.com/mi3-dev/android_device_xiaomi_cancro
https://github.com/mi3-dev/android_device_xiaomi_msm8974-common
https://github.com/mi3-dev/proprietary_vendor_xiaomi
 
You must log in or register to reply here.

Similar threads

Zenuno
[ROM] Mokee 50.2 Lollipop Nightly Xiaomi Mi3
Replies
833
Views
141K
2
2PointOBoy
digyvijaykumar123
[WIP][Root+Recovery+Rom+Q&A]"Xiaomi Mi3 WCDMA"[Cancro]{ALL IN ONE}
Replies
87
Views
93K
G
Greedy Parrot
Shahan_mik3
Lollipop (5.1) AOSP By Ivan [Random Reboot Fixed] [Stable][20-Mar]
Replies
806
Views
204K
richard el renthlei
richard el renthlei
D
Xiaomi Mi3 16GB Snapdragon (WCDMA)
Replies
47
Views
35K
Aka9413
Aka9413
raimondomartire
[Cwm] Xiaomi Mi3
Replies
6
Views
27K
magarto
magarto

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 9
    zelendel
    zelendel
    Xiaomi Security issues. Xiaomi firmware has multiple backdoors So I've basically got myself in this sh*t because lack of care.. Until it pop'd and hit the highlights.

    And now straight to the point. It doesn't f*ckin matters if you had a fw or not. As the backdoors are embedded in ROOT system processes.
    And those where obviously white-listed as i didn't think of a nasty Chinese guy sitting in it calling back home. My friend who got the same phone found the article as i was having my vacation for a bit, so when i found out i did a bit a research of course on my device. After finding all this i e-mail'd him it and he posted it on the Xiaomi European forums. Guess what happened, it got deleted. So they know damn good what they're doing.

    Quote:
    When you purchase Xiaomi products or services, we’ll collect relevant personal information, including but not limited: delivery information, bank account, credit card information, bill address, credit check and other financial information, contact or communication records.
    Quote:
    Originally Posted by OP

    Music app(?) connects to:
    202.173.255.152
    2012-12-01 lrc.aspxp.net
    2012-12-01 lrc.feiyes.net
    2012-12-01 w.w.w.616hk.com
    2012-12-01 w.w.w.hk238.com
    2012-12-01 w.w.w.lrc123.com

    123.125.114.145
    2013-11-27 tinglog.baidu.com
    1/53 2014-07-02 12:51:01 hxxp://tinglog.baidu.com

    Latest detected files that communicate with this IP address
    Latest files submitted to VirusTotal that are detected by one or more antivirus solutions and communicate with the IP address provided when executed in a sandboxed environment.

    3/43 2014-07-08 07:39:24 facb146de47229b56bdc4481ce22fb5ec9e702dfbd7e70e82e 4e4316ac1e7cbd
    47/51 2014-04-28 09:25:27 091457f59fc87f5ca230c6d955407303fb5f5ba364508401a7 564fb32d9a24fa
    24/47 2014-01-08 08:19:43 3cf0a98570e522af692cb5f19b43085c706aa7d2f63d05469b 6ac8db5c20cdcd
    21/48 2013-12-02 15:15:45 7e34cb88fc82b69322f7935157922cdb17cb6c69d868a88946 8e297257ee9072
    19/48 2013-12-01 20:02:32 bce4bd44d3373b2670a7d68e058c7ce0fa510912275d452d36 3777f640aa4c70

    Latest URLs hosted in this IP address detected by at least one URL scanner or malicious URL dataset.
    1/53 2014-07-02 12:47:57 hxxp://dev.baidu.com/

    Android-system ANT HAL Service(Framework_ext.apk/jar) connect to:
    42.62.48.207
    VirusTotal's passive DNS only stores address records. The following domains resolved to the given IP address.
    2014-04-28 app.migc.wali.com
    2014-07-12 app.migc.xiaomi.com
    2014-05-30 gamevip.wali.com
    2014-05-30 log.wlimg.cn
    2014-04-21 mitunes.game.xiaomi.com
    2014-04-30 oss.wali.com
    2014-05-17 p.tongji.wali.com
    2014-07-13 policy.app.xiaomi.com

    Latest detected URLs
    Latest URLs hosted in this IP address detected by at least one URL scanner or malicious URL dataset.
    1/58 2014-08-13 07:10:49 hxxp://policy.app.xiaomi.com/cms/interface/v1/checkpackages.php
    1/58 2014-08-10 00:46:35 hxxp://policy.app.xiaomi.com/
    1/53 2014-07-02 12:49:59 hxxtp://oss.wali.com

    Messages(Mms.apk) connect to (it literary calls back home)
    54.179.146.166
    2014-08-12 api.account.xiaomi.com
    2014-07-26 w.w.w.asani.com.pk

    What it does? It sends phone numbers you call to, send messages to, add etc to a Resin/4.0.13 java application running on a nginx webserver to collect data. Checkpackages, embedded system process/app posts all installed apps to a Tengine a/k/a nginx webserver cms.

    URL: hxxtp://api.account.xiaomi.com:81/pass/v3
    Server: sgpaws-ac-web01.mias
    Software: Tengine/2.0.1 | Resin/4.0.13

    URL: hxxp://policy.app.xiaomi.com:8080/cms/interface/v1/
    Server: lg-g-com-ngx02.bj
    Software: Tengine | Resin

    Bottom line
    They don't give a single damn about your data.. All sent in plain text.

    For messages APK (Mms.apk)
    I don't believe it needs those permissions for normal functionalities, this is only for the extra feature let's call it bug.

    android.permission.SEND_SMS_NO_CONFIRMATION
    android.permission.GET_ACCOUNTS
    android.permission.WRITE_EXTERNAL_STORAGE
    android.permission.ACCESS_NETWORK_STATE
    android.permission.CHANGE_NETWORK_STATE
    android.permission.INTERNET
    miui.permission.SHELL
    android.permission.GET_TASKS
    android.permission.CAMERA


    Some code ... i also attached java classes and smali dalvik jvm bytecode..

    Code:



    RELATED
    http://apkscan.nviso.be/report/show/...0b623da712918f
    http://lists.clean-mx.com/pipermail/...14/072661.html

    OTHER SOURCES
    http://www.newmobilelife.com/2014/08...-china-server/
    http://www.htcmania.com/showthread.php?p=14730859


    Main post and more info. All credits go to the OP

    http://xdaforums.com/gene...oords-t2847069
    View
    2
    X
    xiaohan
    This is a technology forum, politics problem is not interested here I guess. Surely, sending sensitive data back to the server initially was suspicious,but the security issue has been patched,if you have a lot of security concern, don't use a smart phone.

    Sent from my HTC One using XDA Free mobile app
    View
    1
    L
    linr76
    zelendel said:
    Xiaomi Security issues. [/URL]
    Click to expand...
    Click to collapse

    dude that is sooo old cheese already. you really seem to have a personal problem with xiaomi?

    go read a bit:
    http://www.cnet.com/news/xiaomi-makes-cloud-messaging-opt-in-amid-privacy-concerns/
    http://www.androidcentral.com/hugo-barra-responds-xiaomi-privacy-concerns

    Xiaomi has added encryption to the communication in an updated firmware, and the cloud service is now opt-in.

    while i will say that unencrypted transfer is uncool, most of the stuff transferred (or actually all) has to do with their cloud service.
    Apple & Google are doing the same stuff, i bet you Samsung does also.
    so what is the big deal here? that it was not encrypted? or that it sends something in the first place?
    View
    1
    zelendel
    zelendel
    linr76 said:
    dude that is sooo old cheese already. you really seem to have a personal problem with xiaomi?

    go read a bit:
    http://www.cnet.com/news/xiaomi-makes-cloud-messaging-opt-in-amid-privacy-concerns/
    http://www.androidcentral.com/hugo-barra-responds-xiaomi-privacy-concerns

    Xiaomi has added encryption to the communication in an updated firmware, and the cloud service is now opt-in.

    while i will say that unencrypted transfer is uncool, most of the stuff transferred (or actually all) has to do with their cloud service.
    Apple & Google are doing the same stuff, i bet you Samsung does also.
    so what is the big deal here? that it was not encrypted? or that it sends something in the first place?
    Click to expand...
    Click to collapse

    First off do I have issues with them? Sure most here do but that is a whole other matter.

    This was brought to attention by another user. Had you read the post you would have known that.

    The fact that they record your bank account info is cause for further investigation.

    I just posted it here for users to know and look into. In the end it doesn't matter to me as Ill never use their device or OS.
    View
    1
    jothiprasad1984
    jothiprasad1984
    Xiaomi is an arrogant company. Until now they have not released the kernel for mi3 despite of Barra's commitment. All their forum threads so stupid like "give ideas and win bunny" "give suggestions and win a fcking phone". MIUI will never ever ever get stable. It follows iOS design principles. When I gave a negative feedback, I was banned from miui forum. Freakingly selfish mindset stupid copycat company.

    Sent from my MI 3W using XDA Free mobile app
    View

New posts