Lithuanian government warns about secret censorship features in Xiaomi phones

The Lithuanian Defense Ministry published a security audit on Wednesday for three popular 5G smartphone models manufactured in China, recommending that citizens avoid or stop using at least two of the three devices, citing privacy infringements and secret censorship capabilities.

The 5G smartphone models selected for the audit included:

  • OnePlus 8T 5G
  • Huawei P40 5G
  • Xiaomi Mi 10T 5G

Margiris Abukevičius, Deputy Minister of National Defense, said the phones were selected because they had been previously identified “by the international community as posing certain cyber security risks.”

While the government audit, which is available for download from the ministry’s website [PDF, English PDF], did not find any issues with the OnePlus 8T 5G, several problems were identified with the other two models.

Xiaomi: Censorship module, surreptitious data collection

The most were found in the Xiaomi Mi 10T, where officials said they uncovered a secret censorship module that could detect and censor 449 keywords or groups of keywords in both Chinese and Latin characters related to sensitive topics inside China, such as “Free Tibet,” “Voice of America,” “Democratic Movement,” “Longing Taiwan Independence,” and others.

Officials said this module was disabled inside Lithuania and the EU region, but they also found a function that could have allowed Xiaomi to silently enable the censorship module at any given time without the user’s knowledge.

In addition, officials said they also found a second issue impacting Xiaomi phones, which also sent an encrypted SMS message to Xiaomi servers whenever the owner chose to use the Xiaomi Cloud service.

“Investigators were unable to read the contents of this encrypted message, so we can’t tell you what information the device sent,” Dr. Tautvydas Bakšys, one of the report’s authors, said on Wednesday.

After the SMS was sent, the message was also hidden from the device owner, another action which Lithuanian authorities saw as a sign of alarm.

Furthermore, officials said they also found that the Xiaomi phone also collected up to 61 data points about the device and its owner via the Mi Browser app, information it sent to a Google Analytics account and to Chinese servers.

Xiaomi did not return a request for comment sent by The Record seeking answers to the Lithuanian government’s report.

The same audit also found an issue with the Huawei P40 5G model, which officials said would often redirect users seeking various apps to malicious alternatives.

Catalin Cimpanu

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.

Recent Posts

Facebook testing end-to-end encryption as a default on Messenger

Facebook has long been criticized for not using end-to-end encryption as a default option for…

16 hours ago

CISA orders civilian agencies to patch Zimbra bug after mass exploitation

The Cybersecurity and Infrastructure Security Agency added two vulnerabilities found in products from digital collaboration…

18 hours ago

AT&T denies connection to database of 23 million SSNs, says it may be tied to credit agency breach

Telecommunications giant AT&T denied any connection to a database of stolen information that included the…

20 hours ago

U.S. shares photo of alleged Conti suspect, offers $10 million for intel

The U.S. State Department on Thursday said that it was offering a $10 million reward…

20 hours ago

Suspected Tornado Cash developer arrested in Netherlands

Financial crime authorities in the Netherlands announced Friday that they had arrested a 29-year-old man…

1 day ago

NHS working with U.K. cyber authorities to assess ransomware attack on IT vendor

The United Kingdom’s National Health Service said it is working with the country’s National Cyber…

2 days ago