Security researcher claims Xiaomi phone data compromised

A Taiwanese security researcher has claimed to have uncovered vulnerabilities in the servers of Chinese mobile phone company Xiaomi.

The vulnerabilities allowed Cheng Huang to extract information from Xiaomi accounts and logs from servers, which he planned to demonstrate at a cyber security seminar in New Delhi next month.

The researcher is said to have accessed millions of phone numbers, IMEI numbers, email accounts and passwords from the company's servers in China.

Indian website the hackernews.com reported Huang's claim yesterday which prompted a vehement denial from Xiaomi. The world's third-largest smartphone maker claimed to have verified Huang's claim and found it to be a hoax. The company said the zero-day vulnerability reported by the cyber security researcher, Chen Huang, was a deliberate falsehood, and Xiaomi was taking the necessary legal action against involved parties.

Huang's session at the 'Ground Zero Summit' to be held at New Delhi's Hotel Ashok between 13-14 November, stands suspended.

According to India Today, it had been told by Jiten Jain, CEO, Indian Infosec Consortium, the conference organisers that Xioami had request them withhold the session till such time as they completed investigations into the vulnerabilities.

Huang had planned to demonstrate, via-videolink, how Xiaomi smartphones sent back personal data of users to Chinese servers.

Meanwhile, MobileTor.com reports that Xiaomi had much to lose in case such allegations proved true. The company had recently been accused of secretly sending smartphone user data to its servers in Beijing (See: Taiwan investigating security threat from Xiaomi).

Though according to market research firm IDC, Xiaomi had emerged as the third-largest smartphone vendor in the world, after Samsung and Apple, the Chinese company's climb to success had been marked by controversy and it could not afford to keep expending resources on putting out rumours all the time. The company insists it had faced only one security incident involving the lead of a 2-year old user account file in May of this year.

The file is believed to have held information from customer accounts registered before 2012 in an old version of the Xiaomi user forum. A safer system had been launched within a month, that made the data obsolete, according to the company. Users were however, asked to  change their passwords as a precautionary measure.