Xiaomi servers allegedly prone to zero-day attack that steals confidential data

Following reports of the security loophole in Xiaomi phones that causes them to send user data, including the user’s IMEI, phone number, and phonebook contacts  to remote servers, now a Taiwanese security expert has raised another security alarm against Xiaomi devices. According to the expert, Xiaomi devices are vulnerable to zero-day attacks which can compromise attacked systems or steal confidential data.

The Hacker News reported that the Taiwanese researcher Chen Huang had planned to speak about this vulnerability in Xiaomi phones at the Ground Zero Summit 2014 at New Delhi, but was later pulled out from the conference. According to India Today, Xiaomi requested the organisers to withhold the session until they could complete investigations into the vulnerabilities. However, the organisers alerted the Indian Air Force officials about the Xiaomi vulnerability, which prompted them to warn its personnel against using Xiaomi devices.

Xiaomi's Hugo Barra said it will address these concerns with the IAF, though the authorities have now claimed to not have placed any such ban on Xiaomi phones.

 Xiaomi servers allegedly prone to zero-day attack that steals confidential data

The G0S website still has the abstract of the Taiwanese security expert, which says "In this session Taiwanese Researcher will demonstrate how Xiaomi Phones have been sending device data and personal data of Xiaomi Phone user to Chinese Servers. The Researcher will also release Server Logs, Mi Account username, Emails and passwords of millions of Xiaomi users which have been obtained using a Zero Day flaw in the Xiaomi Servers." The researcher later sent The Hacker News a partial database of the compromised Xiaomi phones to confirm that several Mi accounts are already compromised.

Following the revelation, Xiaomi issued a statement which says the file contained information from user accounts registered before August 2012 in an old version of the Xiaomi user forum website. That information became obsolete after it had launched the Xiaomi Account integrated system.

In response to Chen Huang's accusation, Xiaomi said "Chen Huang has recently threatened to expose data from the old user account file during a session at the upcoming Ground Zero Summit 2014, falsely claiming it to be data compromised through an existing vulnerability. This is a grave accusation, as we take our users' privacy very seriously, and we will seek legal action against the involved parties."

While it's hard to tell who's speaking the truth, Xiaomi has taken a few steps to ward off the bad publicity the news has garnered the company. Xiaomi is reportedly migrating some data on non-Chinese customers away from its servers in Beijing due to performance and privacy considerations. Xiaomi is also planning to set up a data center in India for local users within the next year for the same reason.

Find latest and upcoming tech gadgets online on Tech2 Gadgets. Get technology news, gadgets reviews & ratings. Popular gadgets including laptop, tablet and mobile specifications, features, prices, comparison.