20 New Vulnerabilities ‘Pose A Threat To All Xiaomi Users,’ Researchers Warn
Xiaomi smartphones have a host of security flaws that could allow hackers to steal passwords and compromise social media accounts, according to cybersecurity researchers. The 20 vulnerabilities are related to the Chinese company’s deployment of Google’s Android operating system. Xiaomi has fixed the flaws, and users should update their phones as soon as possible.
The flaws affected a wide range of software running on Xiaomi devices, from the settings app through to its bluetooth software, said Sergey Toshin, founder of Oversecured, the mobile security startup that found the weaknesses. The most dangerous flaws could be abused to grant an attacker “system privileges,” Toshin told Forbes, allowing theft of user passwords and access to private user files. However, Toshin does not believe the weaknesses were exploited by malicious hackers.
“Xiaomi needs to invest more resources in the security of its devices.”
He said that if a hacker had wanted to exploit the most serious weaknesses, they’d likely try to install a malicious app on a Xiaomi phone, either via phishing or through pushing malicious apps on marketplaces like Google Play. From there, a hacker could use the app to exploit one of the weaknesses, and do things like intercept a victim’s social network messages, harvest user contacts and collect information about their connected Bluetooth devices, Toshin said.
Oversecured disclosed the flaws to Xiaomi last week after testing them on a Xiaomi 13 Ultra. “We believe every device was vulnerable since [the flaws] are part of the firmware,” Toshin said. He said the Chinese company patched the vulnerabilities within a week. Xiaomi confirmed it had remediated all the vulnerabilities.
He said Xiaomi might be able to avoid significant issues if it gave out larger rewards to hackers as part of its bug bounty program, which it runs over the HackerOne platform. According to HackerOne data, its average payout is between $80 and $100, and it’s rewarded hackers with $2,600 in the last 90 days. Comparatively, Google paid out $3.4 million to Android security researchers in 2023.
A Xiaomi spokesperson said the company had “an industry-leading security team” and was working with Google and Hackerone “to build secure Android systems.” But Toshin said Xiaomi’s current payouts were “significantly lower than those of Google” and that “Xiaomi needs to invest more resources in the security of its devices.”