- The National Cybersecurity Center of Lithuania has conducted a study to uncover undocumented functionality on Chinese phones.
- The brands that were looked into include Huawei, Xiaomi, and OnePlus, using last year 5G models.
- Xiaomi was deemed the most risky, followed by Huawei, while nothing was discovered on OnePlus.
The National Cybersecurity Center under the Ministry of National Defense in the Republic of Lithuania has decided to investigate the potential existence of undocumented functionality in 5G smartphones made by Xiaomi, Huawei, and OnePlus, all Chinese brands.
The Ministry states those three were picked for the sole reason of having an unusually large number of vulnerabilities and exposures on the MITRE database, indicating a lack of proper security practices at the facilities where software for their products is developed, if not something worse.
The device models that were looked into are the following:
- Huawei P40 5G
- Xiaomi Mi 10T 5G
- OnePlus 8T 5G
As the Deputy Minister of National Defense in Lithuania Margiris Abukevičius stated:
This study was initiated in order to ensure the safety of using 5G mobile devices sold in Lithuania, and more specifically the software contained in them. Three Chinese manufacturers who have been offering 5G mobile devices to Lithuanian consumers since last year and who have been identified by the international community as posing certain cyber security risks have been selected for this.
The risks that were identified in this study are the following:
- Huawei’s app store automatically redirects users to arbitrary locations when app search results come back empty. Oftentimes, the redirection points to downloading an antivirus program that has been rated as malicious.
- Xiaomi’s Mi Browser uses the Google Analytics module together with the Chinese Sensor Data that collects 61 device action parameters periodically and sends them to Xiaomi’s servers.
- Xiaomi Cloud was found to be sending an encrypted SMS message upon the user registration on the service, which is then hidden but can be accessed by forensic experts of hackers in the future. This message contains sensitive device information as well as personal data.
- Xiaomi can technically censor downloaded content, and some of the in-built apps like the Mi Browser regularly receive a block keyword list from the manufacturer. At the time of the study, the list was 449 keywords long, including “Free Tibet," "Voice of America," "Democratic Movement," "Longing Taiwan Independence”, and many more. In Lithuania, this blocking was disabled, but the vendor may enable it remotely at any time, as the system is still there.
Notably, no flaws, dangers, or risks were identified on OnePlus devices in this study.