Lithuanian government warns about secret censorship features in Xiaomi phones
Xiaomi Mi 10T // Image: Xiaomi
Catalin Cimpanu September 21, 2021

Lithuanian government warns about secret censorship features in Xiaomi phones

Lithuanian government warns about secret censorship features in Xiaomi phones

The Lithuanian Defense Ministry published a security audit on Wednesday for three popular 5G smartphone models manufactured in China, recommending that citizens avoid or stop using at least two of the three devices, citing privacy infringements and secret censorship capabilities.

The 5G smartphone models selected for the audit included:

  • OnePlus 8T 5G
  • Huawei P40 5G
  • Xiaomi Mi 10T 5G

Margiris Abukevičius, Deputy Minister of National Defense, said the phones were selected because they had been previously identified “by the international community as posing certain cyber security risks.”

While the government audit, which is available for download from the ministry’s website [PDF, English PDF], did not find any issues with the OnePlus 8T 5G, several problems were identified with the other two models.

Xiaomi: Censorship module, surreptitious data collection

The most were found in the Xiaomi Mi 10T, where officials said they uncovered a secret censorship module that could detect and censor 449 keywords or groups of keywords in both Chinese and Latin characters related to sensitive topics inside China, such as “Free Tibet,” “Voice of America,” “Democratic Movement,” “Longing Taiwan Independence,” and others.

Officials said this module was disabled inside Lithuania and the EU region, but they also found a function that could have allowed Xiaomi to silently enable the censorship module at any given time without the user’s knowledge.

In addition, officials said they also found a second issue impacting Xiaomi phones, which also sent an encrypted SMS message to Xiaomi servers whenever the owner chose to use the Xiaomi Cloud service.

“Investigators were unable to read the contents of this encrypted message, so we can’t tell you what information the device sent,” Dr. Tautvydas Bakšys, one of the report’s authors, said on Wednesday.

After the SMS was sent, the message was also hidden from the device owner, another action which Lithuanian authorities saw as a sign of alarm.

Furthermore, officials said they also found that the Xiaomi phone also collected up to 61 data points about the device and its owner via the Mi Browser app, information it sent to a Google Analytics account and to Chinese servers.

Xiaomi did not return a request for comment sent by The Record seeking answers to the Lithuanian government’s report.

The same audit also found an issue with the Huawei P40 5G model, which officials said would often redirect users seeking various apps to malicious alternatives.

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.