Xiaomi addresses latest Mi Cloud security concerns

Following its earlier privacy breach allegation on its Redmi Note, security concerns surrounding Xiaomi’s cloud storage, Mi Cloud has cropped up once again. This time it was raised up by security firm F-Secure.

In their earlier clarification and response, Xiaomi says that they take user privacy very seriously and they do not send user data to external servers without permission. The only time this happens is if a user opts to backup their device to the cloud with their Mi Cloud service, which is similar to other cloud solutions including Apple’s iCloud. If a user do not wish to use Mi Cloud, they can disable it completely.

So is the privacy issue sorted out for good? Not completely according to F-Secure and they have conducted a test with a brand new Redmi 1S, which is the smaller brother of the Redmi Note. With just a SIM Card, WiFi connection and no account set up when the phone was switched on for the first time, they tried making a standard voice call. To their surprise, they have reported that the device has sent some information to Xiaomi servers which includes IMEI, telco name and phone number.

They repeated this several times and upon signing in to Cloud Mi, the device would send more info including IMSI (SIM Card ID). So it appears that the Redmi 1S was transmitting info to their servers even without having to logged into Mi Cloud.

Obviously Xiaomi is not taking this second wave of security concerns lightly and Hugo Barra has responded along with a solution. He clarified that when a Mi device is switched on, the MIUI Cloud Messaging service would be enabled by default. In case you didn’t know, sending SMS between 2 MIUI devices that are connected online would be delivered for free over the internet. This happens in the quietly background and it appears like a normal SMS. For this to be possible, the Cloud Messaging service would require IMEI/IMSI and Hugo has stressed that no personal data such as contacts are stored on it.

To address such concerns once and for all, Xiaomi will be pushing a OTA (Over the air) software update to ensure that its Cloud Messaging service would be an opt-in service and disabled by default. You can get the latest updates under “Settings > About Phone > System Updates”. To turn it MIUI Cloud Messaging back on, users can head to “Settings > Mi Cloud > Cloud Messaging”. Below is the full FAQ on the latest concerns:

Q: What is MIUI Cloud Messaging?

A: Xiaomi offers a free service called Cloud Messaging as part of its MIUI operating system. This service allows MIUI users to exchange text messages with each other free of SMS charges, by routing messages via IP instead of using the carrier’s SMS gateway.

Q: How does Cloud Messaging work? Does it store any private user information?

A: When a Mi phone is turned on, the Cloud Messaging service is automatically activated through IP communication protocol with Xiaomi servers, in order to provide the user with the free text messaging capability. MIUI Cloud Messaging uses SIM and device identifiers (phone number, IMSI and IMEI) for routing messages between two users, in the same way as some of the most popular messaging services. Some technical implementation details are provided below. Users’ phonebook contact data or social graph information (i.e. the mapping between contacts) are never stored on Cloud Messaging servers, and message content (in encrypted form) is not kept for longer than necessary to ensure immediate delivery to the receiver.

Q: How does this relate to the privacy concerns raised about Xiaomi over the last 48 hours? What’s your response?

A: A recent article in Taiwan and a related report by F-Secure raised privacy concerns by stating that Xiaomi devices are sending phone numbers to Xiaomi’s servers. These concerns refer to the MIUI Cloud Messaging service described above. As we believe it is our top priority to protect user data and privacy, we have decided to make MIUI Cloud Messaging an opt-in service and no longer automatically activate users. We have scheduled an OTA system update for today (Aug 10th) to implement this change. After the upgrade, new users or users who factory reset their devices can enable the service by visiting “Settings > Mi Cloud > Cloud Messaging” from their home screen or “Settings > Cloud Messaging” inside the Messaging app — these are also the places where users can turn off Cloud Messaging.

We apologize for any concern caused to our users and Mi fans. We would also like to thank the media and users who have been sending us feedback and suggestions, allowing us to improve and provide better Internet services.

Q: How exactly does the MIUI Cloud Messaging system handle phone numbers?

A: For those interested in specific details about the MIUI Cloud Messaging implementation:
– The primary identifiers used to route messages are the sender and receiver’s phone numbers. IMEI and IMSI information is also used to keep track of a device’s online status.

– When a user sends a text message, if there is an Internet connection available, the Cloud Messaging system will attempt to route the message via IP. If the receiver is offline (i.e. not immediately reachable via IP), the system falls back to sending a normal SMS message from the sender’s device.

– When a MIUI user opens a text message or a phonebook contact, or creates a new contact, the device connects to the Cloud Messaging servers, forwards the phone number of that contact and requests the online status of the corresponding user, which is indicated by a blue icon when that user is online or gray icon if that user is offline (or is not a Cloud Messaging user). This allows the sender to immediately know whether they can text that user without incurring SMS costs.

– In any of these flows, the receiver’s phone number is only used to look up online status and to route messages. No phonebook contact details or social graph information (i.e. the mapping between contacts) is stored on Cloud Messaging servers, and message content (in encrypted form) is not kept for longer than necessary to ensure immediate delivery to the receiver.

– The OTA system update made available today (Aug 10th) adds an extra layer of security by encrypting phone numbers whenever they are sent to Cloud Messaging servers.

– We will continue to make changes and improvements to this architecture as needed over time.

[ SOURCE 2, VIA ]