Multiple Vulnerabilities Uncovered in Xiaomi Smartphones by Oversecured Research Firm. Oversecured, a security research firm, recently uncovered numerous vulnerabilities within the system components and applications of Xiaomi smartphones.
The investigation, initiated in 2023, revealed over 20 existing loopholes that could potentially grant malicious attackers easy access to sensitive data and system functions.
Although Oversecured promptly reported these findings to Xiaomi between April 25 and April 30, 2023, not all vulnerabilities have been addressed and fixed yet.
The report indicates that Xiaomi’s oversight enabled access to various system functions and services with elevated privileges, unauthorized access to system files, exposure of phone settings and Xiaomi account information, as well as other vulnerabilities.
Factors Contributing to Security Vulnerabilities
Xiaomi, like other original equipment manufacturers (OEMs), builds its apps and services for devices based on Google’s Android Open Source Project (AOSP) codebase.
Unfortunately, these modifications weren’t subjected to rigorous security checks, leaving the devices vulnerable to potential security breaches.
Many of the identified vulnerabilities stem from apps originating from the AOSP. Xiaomi’s enhancements, aimed at improving user experience, have inadvertently introduced serious security risks.
Apps Impacted by the Vulnerability
The list of affected apps is extensive and encompasses commonly used applications such as
- Gallery (com.android.printspooler)
- Print Spooler (com.android.printspooler)
- Security (com.miui.securitycenter)
- Security Core Component (com.miui.securitycore)
- Settings (com.android.settings)
- GetApps (com.xiaomi.mipicks)
- Mi Video (com.miui.videoplayer)
- MIUI Bluetooth (com.xiaomi.bluetooth)
- Phone Services (com.android.phone)
- ShareMe (com.xiaomi.midrop)
- System Tracing (com.android.traceur)
- Xiaomi Cloud (com.miui.cloudservice)
Four vulnerabilities were identified in the Settings app, enabling attackers to link services to any application and access Wi-Fi and Bluetooth information, system files, Xiaomi account particulars, and phone numbers.
Similarly, GetApps, a service akin to an App Store, displayed four significant security weaknesses that could result in memory corruption and the exposure of sensitive data, including Xiaomi session tokens.
Oversecured noted that Xiaomi has not yet addressed this issue, posing risks for current users.
These discoveries, dated over a year ago, underscore concerns regarding the security measures implemented by OEMs like Xiaomi to safeguard their devices.
Keep Your Phone Up-to-Date
Considering these are system apps present across all devices, including flagship models like the Xiaomi 14 Ultra, it becomes challenging to rely on the brand with sensitive information.
Xiaomi has yet to respond to the latest findings from this report.
If you own a Xiaomi smartphone, it’s advisable to promptly install any recent system updates as they may include patches addressing some or all of these vulnerabilities.
0 Comments