Recently security consultancy Bluebox Labs reported on some major security flaws found in the latest Xiaomi Mi 4 phone. Xiaomi didn’t take this criticism lying down, and has prepared a lengthy rebuttal to Bluebox’s claims.
While Xiaomi had already called the report “inaccurate” in a statement to VR World, Hugo Barra, Xiaomi’s VP International responded to Bluebox Labs by saying the phone purchased by the company in China had been tampered with. It’s important to note that Bluebox had already tested the device to make sure that it was authentic and not a knockoff.
“We are certain the device that Bluebox tested is not using a standard MIUI ROM, as our factory ROM and OTA ROM builds are never rooted and we don’t pre-install services such as YT Service, PhoneGuardService, AppStats etc,” Barra said in his statement. “Bluebox could have purchased a phone that has been tampered with, as they bought it via a physical retailer in China. Xiaomi does not sell phones via third-party retailers in China, only via our official online channels and selected carrier stores.”
If Barra’s claim holds true, this brings up the very worrying issue of supply chain security, as Bluebox points out. If these — authentic — phones are modified by the retailer, or someone else in the supply chain, that’s incredibly concerning for device security and brand reputation.
Barra says that customers should only purchase Xiaomi phones from the official online store to ensure authenticity and “reputable retailers”. But what makes a “reputable retailer”? If the one Bluebox purchased its phone from — and it went to great lengths to ensure authenticity — isn’t reputable than which ones are? After all, China is home to fake Xiaomi stores (and fake Apple as well as Samsung stores too).
If indeed what Barra says is true, this is largely a lesson in supply chain security. All vendors need to ensure that the China side of their supply chain isn’t compromised by a man-in-the-middle attack. Because clearly even local companies aren’t immune.
UPDATE: March 9 2015 11:00 AM China Standard Time
Xiaomi emailed VR World further statements to expand upon what it told Bluebox Labs. Here’s the statement in full.
There are glaring inaccuracies in the Bluebox blog post. Official Xiaomi devices do not come rooted and do not have malware pre-installed. Our investigation based on information received so far indicates that the phone Bluebox obtained is a counterfeit product purchased through an unofficial channel on the streets in China. We’re gathering more information to fully confirm this and should have a final answer in the next 24 hours.
With the large parallel street market for mobile phones in China, not only is it somewhat common for third parties to tamper with the software sold on smartphones, but there are counterfeit products which are almost indistinguishable from the original products on the outside. This happens across all brands, affecting both Chinese and foreign smartphone companies selling in China.
Furthermore, “entrepreneurial” retailers may add malware and adware to these devices, and even go to the extent of pre-installing modified copies of popular benchmarking software such as CPU-Z and Antutu, which will run “tests” showing the hardware is legitimate — fooling even very discerning buyers.
Xiaomi takes all necessary measures to crack down on the manufacturers of fake devices or anyone who tampers with our software, supported by all levels of law enforcement agencies in China. However, for the safety of our users, Xiaomi and all smartphone brands always recommend buying phones through authorised channels. Xiaomi only sells via Mi.com, and a small number of Xiaomi trusted partners including mobile operators and select authorised retailers, such as Flipkart in India.
In addition, contrary to what Bluebox has claimed, MIUI is true Android, which means MIUI follows exactly Android CDD, Google’s definition for compatible Android devices, and it passes all Android CTS tests, the process used by the industry to make sure a given device is fully Android compatible. All Xiaomi devices sold in China and international markets are fully Android compatible.