MIUI Has Backdoors (maybe)

backdoor-01-netstat

Before you start saving up for that jaw-dropping Mi Mix, there’s something you should know: someone has found a backdoor in MIUI, the Android ROM that runs on Xiaomi phones and tablets.

The Libre Guy grabbed this screen from a terminal app on his Mi Pad, running the netstat command. What does it mean? I’ll let him explain:

What this means is that Xiaomi has a background app constantly running which establishes a connection with some backend servers as soon as you connect to the Internet. For example, as shown on the first line, an app is listening on the XMPP port and connected to the IP 111.206.200.2. When I looked up this IP Address on the Internet, it was traced to some Chinese ISP, thus confirming my suspicion.

What this essentially means is that the person on the other end of this connection may be doing anything to our device through this established tcp connection. Now, it could well be the case that the app is genuinely listening for an update or something, but as we all know, a backdoor such as this can be exploited by any hackers and used in unintended ways.

Recalling that time I found ES File Explorer phoning home to China I immediately pulled my Redmi 1S out of storage and installed OS Monitor to see if I could find the same thing. Spoiler alert: Not really.

backdoor-02-redmi

Here’s a screen grabbed from OS Monitor running on my Xiaomi device. There is indeed a connection to the Xiaomi Service Framework—the offending connection discovered by The Libre Guy in a follow-up post—but this one goes to a server in Singapore. In fact, the vast majority of connections from MIUI go through that country, possibly because my phone was purchased in Hong Kong instead of mainland China.

So why does MIUI require so many connections? Well for starters the OS is themeable, with third-party theme packs available for purchase from an online store. And there’s at least one persistent connection to my Mi Account, just like there is for Google. There is also a connection for Mi Cloud file backup, as there would likewise be for Google Drive. On this particular device, which has both Google and Mi Services installed, I counted 12 active connections for MIUI and 6 for Google—and I’ve never even signed into my Google account from this phone!

I guess what I’m trying to say is that my own results were inconclusive. If and when Xiaomi decides to bring their wares to the Americas smarter people than you or I are likely to be scrutinizing what’s going on under the hood.

P.S. I’m pulling the battery on my Redmi now and putting it back in storage, so no drive-by attacks through my home router, please and thanks…

Sources: The Libre Guy (1) (2)

Leave a Reply