
Testing the Xiaomi RedMi 1S - msh
http://www.f-secure.com/weblog/archives/00002731.html
======
songco
Why not testing other phones and do a comparison?

Is there any way to decode the content of https? like install certificate on
phone and use Man-In-The-Mid to get decoded content, I think it possible. Or
the phone may use private protocol(not http/https) and it's hard to decode?

From the report, the tested phone send IMEI and phone number in http, it not
mention if the phone send SMS by http or unencrypted form. In my opinion, user
don't know if their message send by traditional way or by data connection, the
phone need to query if the SMS receiver also enable the company's SMS via data
connection feature, if yes, it send via data connection. I think this
mechanism is ok for me, but it's better to encrypt the "Query".

------
gulpahum
According to engadget, there is a fix on the way: "With today's ROM update,
users of fresh or factory-restored Xiaomi devices will have to manually enable
the cloud messaging function, meaning there should be no more stealthy
connections back to Beijing."

[http://www.engadget.com/2014/08/10/xiaomi-privacy-issue-
clou...](http://www.engadget.com/2014/08/10/xiaomi-privacy-issue-cloud-
messaging/)

------
sahaskatta
To my understanding, my Android phone on Verizon would also upload my data
(contacts, sms, etc.) to both the carrier's own cloud. My data would also gets
uploaded to Google's cloud as well.

Is Mi doing it without encrypting the data or without using SSL? Can someone
explain this better?

~~~
spyder
The screenshot in the article shows it's a HTTP GET request, so no encryption
and the GET request makes it more likely it's getting stored not only in their
db but in access logs of other servers (web server, load balancers, proxies).

~~~
sahaskatta
So if they did use HTTPS and possibly encrypt the content underneath as well,
would this not be an issue or is there more?

~~~
StavrosK
It would still be an issue, this just makes it larger.

------
udv
Does anyone know the name of the tool that is being used in the article? (the
console tool displaying the HTTP requests).

~~~
lreeves
mitmproxy, it's fantastic.

~~~
philangist
BTW, I think Charles can do something similar. And it's got a very nice
interface. I even used it to "cheat" tinder by swiping yes to all matches
([https://gist.github.com/philangist/e5f94bfb887f56958667](https://gist.github.com/philangist/e5f94bfb887f56958667))
by reverse engineering the tinder api.

------
ZoF
It looks like what's sent to Xiaomi is Telco information, IMEI and Phone-
number(s)of: the device owner, all contacts, and anyone who's called or
texted; if you enable their cloud services IMSI is sent as well.

The lack of ssl is far and away more surprising to me. If they're really
sending the IMSI(and not a randomly generated Temporary) in the clear over
http..... That would be a glaring oversight.

------
evidencepi
WTH? How can they do this?

~~~
est
apparently, it's some kind of cloud messaging service like iMessage so you can
send text chats via data connection between MIUI devices instead of SMS.

I am OK with this approach but XiaoMi's problem is that it's enabled by
default and it's unencrypted.

------
rahimnathwani
Previous submission of F-Secure's test:
[https://news.ycombinator.com/item?id=8146355](https://news.ycombinator.com/item?id=8146355)

~~~
dang
Thank you. We'll change the URL to that (from
[http://www.ibtimes.co.uk/security-firm-shows-xiaomi-
smartpho...](http://www.ibtimes.co.uk/security-firm-shows-xiaomi-smartphones-
do-secretly-steal-your-data-1460382), which points to it) because it didn't
receive significant attention.

~~~
msh
I think the title is bad, this new title makes it sound like its a normal test
of a mobile phone while the article is actually about the security problem.

~~~
dang
Can you suggest a better title?

