This week, Lithuania’s Ministry of Defense urged its citizens to throw away popular Chinese 5G smartphones after it published a report slamming the devices for content censoring capabilities and improper data collection. The government audited three Chinese smartphone models—the Xiaomi Mi 10T 5G, Huawei P40 5G, and OnePlus 8T 5G—to assess potential cybersecurity issues, as Chinese phones have flooded the European market over the past year. The government criticism also comes at a time of seriously strained relations between China and Lithuania, touched off by a newly proposed Taiwan representative office in the Lithuanian capital of Vilnius.
Lithuanian @cert_lt investigated 5G cell phones made by 🇨🇳 manufacturers Xiaomi, Huawei & OnePlus. The initial results of the investigation show some cyber and personal data security risks. Study was initiated to ensure the safe use of 5G mobile devices and software sold in 🇱🇹. pic.twitter.com/ukw7InzQAk
— Lithuanian MOD (@Lithuanian_MoD) September 21, 2021
Amazing report from National Cybersecurity Security Center for Lithuania, they took apart some Chinese phones and discovered they have backdoors and censor talking about things, and the features can be activated remotely. https://t.co/P5hqiMB8Z2
— Kevin Beaumont (@GossiTheDog) September 22, 2021
One of the major findings in the report is that the Xiaomi smartphone model is able to censor certain terms. The report includes a blacklist of 449 key words and phrases related to issues sensitive to the CCP. The list includes terms such as “Free Tibet,” “Mongolian Independence,” “Long live Taiwan’s Independence Movement,” “89 Democracy Movement,” “Democratic Movement,” and “Voice of America.” It also includes some more puzzling choices, such as “Women’s Committee” and “People’s Daily.”
While the censorship function appears to be disabled for the “European Union region,” the report noted that Xiaomi is able to remotely and silently switch it on. Tom Bateman from Euronews described how the Lithuanian government urged its citizens to take no risks:
“We found that Xiaomi phones sold in Lithuania had the content filtering function disabled and did not censor content, but censored keyword lists were still sent periodically,” said NCSC head of innovation Tatuvydas Bakšys in a statement.
“The device is technically enabled to activate the functionality remotely at any time without the user’s permission and to begin censoring the downloaded content,” Bakšys added.
At a presentation announcing the NCSC report, Lithuania’s Vice Minister of National Defence Margiris Abukevičius told reporters that consumers should not purchase phones from Chinese manufacturers.
“Our recommendation is to not buy new Chinese phones, and to get rid of those already purchased as fast as reasonably possible,” he said. [Source]
Another major issue with the Xiaomi smartphone is opaque data collection methods. According to the report, the smartphone sent user data to servers in Singapore, a country not subject to Europe’s General Data Protection Regulation, which would normally protect smartphone users in Lithuania. Compounding the issue, Lithuania’s Vice Minister of Defense stated that over 200 government agencies have purchased thousands of these phones. Catalin Cimpanu at The Record, a cybersecurity news publication, detailed yet another serious data security problem:
In addition, officials said they also found a second issue impacting Xiaomi phones, which also sent an encrypted SMS message to Xiaomi servers whenever the owner chose to use the Xiaomi Cloud service.
“Investigators were unable to read the contents of this encrypted message, so we can’t tell you what information the device sent,” Dr. Tautvydas Bakšys, one of the report’s authors, said on Wednesday.
After the SMS was sent, the message was also hidden from the device owner, another action which Lithuanian authorities saw as a sign of alarm.
Furthermore, officials said they also found that the Xiaomi phone also collected up to 61 data points about the device and its owner via the Mi Browser app, information it sent to a Google Analytics account and to Chinese servers. [Source]
OnePlus emerged from the report unscathed, but Huawei’s smartphone was criticized. As the BBC noted, the report found that the Huawei model often redirects users to malicious websites:
The report also highlighted a flaw in Huawei’s P40 5G phone, which put users at risk of cyber-security breaches.
“The official Huawei application store AppGallery directs users to third-party e-stores where some of the applications have been assessed by anti-virus programs as malicious or infected with viruses,” a joint statement by the Lithuanian Ministry of Defence and its National Cyber Security Centre said. [Source]
The growing global market share of Chinese smartphone manufacturers has raised concerns among government officials in the West. In the second quarter of 2021, Xiaomi became Europe’s largest smartphone seller and overtook Apple to become the second-largest in the world, with a 67 percent year-on-year increase in sales. The report noted that prior to the Lithuanian government’s investigation, hundreds of vulnerabilities had been detected on Xiaomi and Huawei devices, which is partly what prompted the audit. In the U.S., the Trump administration had placed Xiaomi on an “investment blacklist” of companies with ties to the Chinese military; this action was reversed by Biden administration officials in May of this year. Xiaomi has denied having ties to the Chinese military and challenged the findings of the Lithuanian report.
Another explanation for the Lithuanian government’s scrutiny of these Chinese smartphones relates to the growing tension between Lithuania and China over Taiwan. In July, Lithuania announced that it would host a “Taiwanese representative office” in its capital, which would be the first such office in Europe to use the name “Taiwan” instead of “Taipei.” The Chinese government was outraged, the Lithuanian government held fast to its decision, Beijing launched a barrage of tariffs in response, and in the end, both countries recalled their respective ambassadors. While the recent report reveals objectively worrisome security issues in certain Chinese smartphones, some have interpreted its public release and amplification by government officials as a way for the Lithuanian government to hit back at unwanted Chinese pressure. The Global Times insinuated as much, calling Lithuania the “anti-China vanguard” of Europe and claiming that Lithuania is only trying to cozy up to the U.S.:
The Baltic country is trying to gain protection from the US in national security as it considers a security threat from Russia imminent and also fears China, given close China-Russia ties, Liu said.
“A small country [Lithuania] dares to confront a major power [China]” can be considered a “public stunt” for the Lithuanian government to build up its image of a “democracy guardian and hero,” which can help it gain more public support and consolidate its regime, Liu said. [Source]
Lithuania is a typical US poodle and vicious attack dog these days. Who care? There are only 2.8 million of them out there, like a small Chinese city.
— Chen Weihua （陈卫华） (@chenweihua) September 22, 2021
2/ Why did Lithuania 🇱🇹 just call out flaws in a flagship #Xaomi device?
Cherchez le Taiwan.
China🇨🇳 got very publicly angry over Taiwan opening an embassy in Lithuania using its own name.
— John Scott-Railton (@jsrailton) September 22, 2021