The National Cyber Security Center under the Ministry of National Defense (NKSC) of Lithuania conducted a security investigation of the Chinese manufacturers Huawei P40 5G, Xiaomi Mi 10T 5G and OnePlus 8T 5G smart 5G devices sold in Lithuania.
“This study was initiated in order to ensure the safe use of 5G mobile devices sold in Lithuania and the software contained in them within our country. Three Chinese manufacturers have been selected who have been offering 5G mobile devices to Lithuanian consumers since last year and who have been identified by the international community as posing certain cyber security risks,” said Margiris Abukevičius, deputy minister of national defence.
The study identified four key cyber security risks. Two relate to gadgets installed on the manufacturer’s devices, one to the risk of personal data leakage and one to possible restrictions on freedom of expression. Three risks were identified at Xiaomi’s device, one at Huawei, and no cyber security vulnerabilities were identified at OnePlus’ mobile device.
Risks for gadgets manufacturers
Analyzing Huawei’s 5G smartphone performance, the researchers found that the device’s official app app store, App App, which does not find the user-requested app, automatically redirects it to third-party email. stores where some gadget antivirus programs have been rated as malicious or infected with viruses. Researchers have also attributed cyber security risks to Xiaomi’s Mi Browser. It uses not only the standard Google Analytics module in other browsers, but also the Chinese Sensor Data, which collects and periodically sends up to 61 parameter data about the actions performed on the user’s phone.
“In our opinion, this is really redundant information about user actions. The fact that this rich statistical information is sent and stored in an encrypted channel on Xiaomi servers in third countries where the General Data Protection Regulation does not apply is also a risk,” said Dr. Tautvydas Bakšys.
Restrictions on freedom of expression
Analyzing the performance of the Xiaomi device, the researchers found that it had the technical capability to censor the content downloaded to it. Even several manufacturer’s gadgets on your phone, including the Mi Browser, periodically receive a manufacturer’s blocked keyword list. When it detects that the content you want to send contains words in the list, the device automatically blocks that content.
At the time of the study, the list included 449 keywords or groups of keywords in Chinese characters, such as “Free Tibet”, “Voice of America”, “Democratic Movement” “Longing Taiwan Independence” and more.
“We found that the content filtering function was disabled on Xiaomi phones sold in Lithuania and did not perform content censorship, but the lists were sent periodically. The device has the technical capability to activate this filtering function remotely at any minute without the user’s knowledge and to start analyzing the downloaded content. We do not rule out the possibility that the list of blocked words could be compiled not only in Chinese but also in Latin characters,” added Bakšys.
Risk of personal data leakage
The risk of personal data leakage has been identified on a Xiaomi device when a user chooses to use the Xiaomi Cloud service on the Xiaomi device. To activate this service, an encrypted SMS registration message is sent from the device, which is not saved anywhere later. “Investigators were unable to read the contents of this encrypted message, so we can’t tell you what information the device sent. This automated sending of messages and the hiding of their content by the manufacturer poses potential threats to the security of the user’s personal data, because without his knowledge, data of unknown content can be collected and transmitted to servers in third countries,” added Bakšys.
Lithuania has already incurred China’s rancour; in August, Beijing demanded that it recall its ambassador after it established a representative office in Taiwan, which claims that Taiwan (Republic of China) is part of China (People’s Republic of China).
