BlueBox Security Vs Xiaomi, Who is in the Wrong?
Several days ago security firm BlueBox released a worrying report highlighting security flaws and privacy concerns with Xiaomi’s Mi 4 phone, however several points in the article gave cause for concern that the device in question was not in fact a legitimate product. This doubt causes more concerns than the initial claim itself.
The initial report stated several key points:
“Our first test was to determine the authenticity of the Xiaomi Mi 4 LTE we had acquired. Determining whether our Mi 4 LTE was counterfeit was key to understanding the rest of our findings.”
BlueBox assessed the legitimacy of the device through several means, they tested hardware such as under the battery cover, and the components used. They then used the app called “Mi Identification” that can be run on the device to determine whether the devices does indeed come from Xiaomi. This allowed them to determine that the device was legitimate.
“Ultimately, we found six suspicious apps that can be considered malware, spyware or adware”
The first of these apps was Yt Service which embeds an adware service called DarthPusher, alarmingly the developer package was named com.google.hfapservice meaning that at first glance it appeared to be from Google which some users would expect to find upon an Android device. This is not the case and the app is not from Google. Other apps that caused alarm included a Trojan called PhoneGuardService, riskware called AppStats and malware called SMSreg.
“We ran Trustable by Bluebox on the Mi 4 to determine its security posture. We were disappointed to see a score of 2.6, suspicious range”
The results of this test revealed that the device was vulnerable to every vulnerability they scanned for apart from Heartbleed, the Mi 4 was also rooted and USB debugging mode was enabled whilst lacking prompts to talk to connected computers. The presence of SU does require a security provider to be used, restricting its use. however it should not be present at all on the device.
“The operating system identifies itself as Android KitKat 4.4.4, there are some oddities that make it appear to be a mash-up of both an older version of Android with parts of the current version (4.4.4).”
Some icons were from a previous versions of Android and several of the vulnerabilities discovered by Trustable should only be present on previous builds. There were multiple conflicts with the API corresponding to 4.2 and the device being signed with test or release keys.
“The external storage on the device contains a hidden directory that holds several Android applications that look to be primarily performance benchmarking apps. Some of these apps have been resigned from the original manufacturers signing key”
This means that the apps could have been tampered with, as the signature on the app differs from the one on the Play Store.
These findings were reported to Xiaomi, but due to a lack of response, details were then released to the public. It was at this point Xiaomi got in touch and gave the following responses.
“We are certain the device that Bluebox tested is not using a standard MIUI ROM, as our factory ROM and OTA ROM builds are never rooted and we don’t pre-install services such as YT Service, PhoneGuardService, AppStats etc. Bluebox could have purchased a phone that has been tampered with, as they bought it via a physical retailer in China. Xiaomi does not sell phones via third-party retailers in China, only via our official online channels and selected carrier stores.”
In a communication to BGR, Xiaomi stated: “There are glaring inaccuracies in the Bluebox blog post. Official Xiaomi devices do not come rooted and do not have malware pre-installed. Our investigation based on information received so far indicates that the phone Bluebox obtained is a counterfeit product purchased through an unofficial channel on the streets in China.”
Xiaomi has since released an update with their findings, which show that the device is not a genuine product and is in fact an exceptional counterfeit. Having the same internals, battery and labels as would be expected. The verification app was even fooled in this case and as such the effort required to confirm the authenticity of the device is far beyond that capablility of the average user. The hidden directory was the cause of this as any attempt to install the AntiFake app were intercepted by a copy present on the SDcard and after removing these fake applications the genuine copies could be installed and used to prove the device was not authentic. After BlueBox ran the same tests on an official copy of Xiaomi’s MIUI ROM they received a far improved score of 6.7 and noticed many of the flaws initially detected were not present.
The issues here are far more than just a fake device and a worrying security report. The fact that at some point in the supply chain an imitation device was sold that could pass these tests shows just how careful we have to be. Whilst purchasing directly from an OEM or through a trusted retailer would in theory stop this from occurring, through either ignorance or apparent necessity some consumers will ultimately always end up buying from alternate sources. Companies’ efforts to stop this happening again is paramount and they will have to increase their security procedures significantly in the future. The public usually have faith that applications such as “Mi Identification” will indeed be effective and a break down of this trust could lead to some horrific security flaws. It is possible and likely that many more devices have the same issues and it was just a matter of time before one was discovered. Some users who have less knowledge of smartphones may never realize they own an unofficial device.