[ad_1]
The woman is using a Huawei P40 phone. Photo by Michele Tantussi (File Photo / Reuters / Scanpix.)
New paragraphs 8 to 9
The National Cyber Security Center (NKSC) announced on Tuesday that it had detected 4 major cyber security risks in Chinese phone makers Huawei P40, Xiaomi Mi 10T and OnePlus 8T 5G sold in Lithuania.
NKSC conducted an investigation with the phones of these manufacturers, which are sold by Lithuanian telecom operators and the largest online stores. Experts from Xiaomi, Huawei and OnePlus say they chose it because dozens of cybersecurity vulnerabilities have been identified in the international database of cyber vulnerabilities, CVE.
Two of the four risks identified by the NCSC in the study, which the center considers essential, are related to the applications installed on the manufacturer’s devices, one is the risk of personal data leakage and the other is possible restrictions on freedom of use. expression, according to the NKSC report.
Three risks were identified on the Xiaomi device, one on Huawei, and no cybersecurity vulnerabilities were identified on the OnePlus mobile device.
Gadget risks
NKSC claims that the application gallery of the Huawei P40 5G official mobile application store, which does not find the application desired by the user, automatically redirects it to third-party email. stores. Some of their devices, according to the study authors, were classified as malicious or infected by antivirus programs.
“Most application repositories are located in countries not covered by the General Data Protection Regulation (BDAR), posing a concomitant risk of user data leakage. Some of the applications in the caches are counterfeits of the original applications, which have malicious functionality or are infected with viruses ”, according to the NKSC study.
A report published in Huawei’s media at the time states that AppGallery only collects and processes the data necessary for customers to find, install, and manage third-party applications.
“The same practice applies to other popular app stores. Both the Petal Search plugin and the AppGallery app are BDAR compliant and certified with the European Privacy Seal. Huawei clearly indicates when devices come from publicly available sources, so that the user is not required to download any device. “Huawei conducts regular security checks to ensure that the user only downloads applications that are secure and run on HMS devices,” the company said in a statement.
The NKSC also attributed the cybersecurity risk to Xiaomi’s Mi Browser. It uses the Sensor Data module, which periodically collects and sends 61 parameter data about the actions performed on the user’s phone.
“In our opinion, this is really redundant information about user actions. Another risk is the fact that this rich statistical information is sent and stored in an encrypted channel on Xiaomi servers in third countries where BDAR is not valid, ”the report quoted Tautvydas Bakšys, Head of Innovation and Training, NKSC.
Block keywords
Various devices on the Xiaomi phone, including the Mi Browser, periodically receive a list of blocked keywords from the manufacturer, according to NKSC. When it detects that the content you want to send contains words in the list, the device automatically blocks that content.
At the time of the study, the list included 449 keywords or groups of keywords in Chinese characters, such as “Free Tibet”, “Voice of America”, “Democratic Movement”, “Longing for Taiwan Independence” and more.
“On Xiaomi phones sold in Lithuania, the content filtering function was disabled and no content censorship was performed, but the lists were sent periodically. The device has the technical ability to activate this filtering function remotely at any time without the user’s knowledge and begin to analyze the downloaded content. We do not rule out the possibility that the list of blocked words can be compiled not only in Chinese but also in Latin characters “, comments T. Bakšys.
The risk of personal data leakage was identified when the user chose to use the Xiaomi cloud service, Xiaomi Cloud, on the Xiaomi device, according to the NKSC. To activate this service, an encrypted SMS log message is sent from the device, which is not saved anywhere later.
“The researchers could not read the content of this encrypted message, so we cannot tell you what information the device sent. This automated sending of messages and the concealment of its content by the manufacturer poses potential threats to the security of personal data. of the user, since without his knowledge, data of unknown content can be collected and transmitted to servers in third countries “, says T. Bakšys.
A comment sent to Huawei Media indicates that AppGallery only collects and processes the data necessary for customers to find, install and manage third-party applications.
Choose the companies and topics that interest you: we will inform you in a personal newsletter as soon as they are mentioned in Verslo žinios, Sodra, the Center of Records, etc. sources
Write a comment
[ad_2]