Was IAF alert on Xiaomi based on old F-Secure report? All you need to know

There might not be a new security scare with Xiaomi phones, but the Chinese company is moving its servers out of Beijing.

Written by Debashis Sarkar | New Delhi | Updated: October 25, 2014 12:38 pm
Was IAF notification on Xiaomi phones based on old F-Secure report? Here is everything you need to know There might not be a new security scare with Xiaomi phones, but the Chinese company is moving its servers out of Beijing.

Chinese smartphone manufacturer Xiaomi made its entry in the Indian smartphone market with its Mi 3 smartphone in July. The company made headlines after the Mi 3 handset sold like hot cakes on Flipkart. After just six weeks of massive sales in the country, Xiaomi discontinued the Mi 3 temporarily to give mileage to the much cheaper RedMi 1S smartphone, which arrived in September.

What is the data snooping concern regarding Xiaomi phones?

Before the launch of Redmi 1S, software security company F-Secure published a report in August stating that the Xiaomi RedMi 1S “sent the telco name to the server api.account.xiaomi.com. It also sent IMEI and phone number to the same server. The phone number of the contacts added to the phone book and also from SMS messages received was also forwarded.

Commenting on the Mi Cloud service, the report stated, “the IMSI details were sent to api.account.xiaomi.com, as well as the IMEI and phone number.

F-Secure published another report in a week, saying that Xiaomi had addressed the privacy concerns related to “MIUI Cloud Messaging Platform” by releasing an OTA update which made the messaging service “an opt-in feature, rather than a default one.

The report confirmed that after the OTA update, the security experts “did not see any data being sent out from the phone.” Also, it stated that on logging into Mi Cloud, “base-64 encoded traffic is now sent.

The updated report concluded by stating that Mi Cloud data was “now sent over HTTPS rather than HTTP, as seen in our previous testing.

Is there still an issue?

Su Gim Goh, Security Advisor, APAC, F-Secure during his visit to New Delhi on September 1, the same day when Xiaomi RedMi 1S went for sale for the first time for Flipkart First subscribers, confirmed in an exclusive interaction with IndianExpress.com that Xiaomi has rectified the privacy issues raised by it. “The entire privacy issue was related to Xiaomi’s cloud messaging service. Previously, the cloud service got activated by default without asking for the user’s permission. So, related personal data were sent from the phone to Xiaomi’s servers in China. After we alerted about this privacy concern, Xiaomi has made the cloud service as an opt-in feature and not by default, said Goh.

As with every cloud service, data is obviously sent to servers located outside the country with the user’s permission. Goh further confirmed that the even if users opt for the Xiaomi’s cloud service, the data is now being sent over secured HTTPS than HTTP. “The privacy concerns were addressed by Xiaomi quickly and now it’s all good,” added Goh.

So, why did Indian Air Force issue a notification against using Xiaomi phones?

The Sunday Standard recently reported that the Indian Air Force (IAF) has notified its 1,75,000 personnel and their family members not to use Xiaomi smartphones on account of ‘spying’. The report said the IAF alert was based on the inputs from CERT-In.

What’s surprising is that the IAF notification seems to be hinting on the same report released by F-Secure in August to which the software security company had already confirmed that Xiaomi has rectified the issue and the company no longer breaches privacy.

Now, there can be two situations- either, the privacy problem with Xiaomi has returned or the IAF notification is based on older reports. We believe it to be the latter, as no new reports have surfaced since the F-Secure clarification in September.

Is this snooping or is this normal?

In every cloud service, be it Gmail, Facebook, WhatsApp or in this case, MIUI Cloud Messaging Platform, data is sent and stored in servers outside the country. Xiaomi stores the data in servers based in Beijing. There is no rule or regulation from the government stating that cloud service providers will have to store data within the country only. So, if any user opts for any sort of cloud service, then its totally up to the service provider as to where they will store the data.

How has Xiaomi responded to the latest issue?

According to Reuters, Xiaomi has announced that it is moving some data of non-Chinese customers away from its servers in Beijing in several phases to Amazon Inc servers in the US and data centres in Singapore due to the recent privacy considerations. This may be a pure coincidence, or Xiaomi may have actually reacted to the IAF notification. Anyway, for a company hoping to make a strong presence across the globe it is highly unlikely that Xiaomi will do something that will put off its customers or affect its business in the slightest way. Xiaomi has sold just over half a million handsets (Mi 3 and RedMi 1S combined) in India.

For all the latest Technology News, download Indian Express App

  1. M
    Mohammad Ozair
    Oct 26, 2014 at 6:12 am
    Very true, Internet cloud has engulfed us and now its too late to come out of it. Today almost every tech works on cloud, hence storing your information. IAF thinks just storing our data on Chinese servers are unsafe, that means they still havent got the meaning of cloud computing.
    1. A
      Oct 25, 2014 at 8:32 am
      1. A
        Oct 29, 2014 at 7:51 am
        Arun, it appears that you seem to know more than a fair share about the equipment used in radars being used by the IAF. I also agree that this equipment may have been made in China and may be "camouflaged Chinese products". However, I would like to point out that radars and military equipment generally do not operate on an open public data networks. They communicate in closed and dedicated networks and the signals use scrambling algorthms. If these equipments are providing additional services of communicating with a host server located somewhere in another part of the globe, then it is an outright case of snooping and military espionage. This could be undesirable and objectionable, however, the agency like IAF, deploying such equipment would be aware about the risks and would be taking some mitigatory steps to counter this risk.However, when we talk about something as petty but at the same time, as personal as a mobile phone, if the device sends out my personal data to a cloud server, it should be a matter of concern for me. The reason most people do not mind if the data is going to US or Singapore or some place other than China is that data security standards are relatively more stringent and state-sponsored snooping activities are genrally not expected to be carried out. I say "expected" because cases of NSA snooping and hacking of iCloud and leaking of the personal data are quite fresh in the memory. However, in the case of China, this might not be true and it may not come as a surprise if state sponsored data theft and snooping is initiated using the data stored on their servers.It is true that IAF's response has come so late and that too when the company has already fixed the issue. The bottomline is that we have already allowed our lives to be taken on cloud by the likes of Google, Facebook, Twitter, WhatsApp etc. and that it is now too late to stop the other entrants from taking us on a ride.
        1. Arindom Banerji
          Oct 25, 2014 at 5:20 am
          excellent example of paid journalism. Keep it up.
          1. Arun Muralidhar
            Oct 25, 2014 at 9:31 am
            IAF is a ancient relic. too late to react. Doesn't understand technologydian armed forces as such should enforce total ban for its personnel from using any cloud service which doesn't have 100% Indian ownership and datacenter based only in India if its worried of security issues in a holistic way.Not knee jerk reactions like IAF. even if they are restrained, their families could be snooped on, so restrict them too .a server based in US or Singapore doesn't mean we are safe. when it comes to national security, there shouldn't be any friends.Now, even if you don't use a Chinese phone or datacenter, the chances are 50% percent of your data traffic routes through Hongkong.even if you buy communication hardware from US and EU companies, be it a mobile tower antennas, router, a lan card or anything electronics, it would be embled in China, Taiwan(again china) using a tail of components from SE Asia predominantly china.Even the few working radars of IAF are camouflaged Chinese products. Many of the tech product giants of EU are controlled by Chinese. Even Motorola will soon be Chinese.You can't do without them, and to snoop, a subtle mod on just one component is enough.IAF , if it has finally woke up from slumber, should look at ensuring all its comm happens through the private military network and not whatsapp, line and whatever. I have seen itdian military as such should work on giving its brave men a separate social ideny for being connected to family while internal chats happen over a independent network.having data in US is as much a threat as data in China. but the fact is even the service provider cannot decode current encryption standardsI think , all the "privileged netizens" of India have allowed Google, FB to keep a track of you. Apps like Truecaller and its chinese alternatives have already uploaded almost all of Indian contacts. Whatsapp, Line etc can't work without linking mobile number. we have given acceptance to in numerous apps and games to read fb contacts while signing up using Facebook login in. The game you allowed to see fb contacts mostly will wind up in an year.then to cover losses they will sell the data to intelligence agencies, especially chinese, iran and Isreal.so IAF response is too late , too stupid that I can only laugh at it.
            1. Load More Comments