Most of you have probably read a particularly alarming blog post from Bluebox published about the Mi 4 recently, which got picked up by press around the world.
First and foremost, we’d like to emphasize that after a full investigation, we have determined that the device that Bluebox tested was a counterfeit product purchased from an unofficial channel off the streets in China. Bluebox has also acknowledged this in an updated blog post.
“After we got the correct version of the AntiFake app installed on our device we could validate the validity of the device. The device now reports as not legitimate which corroborates the findings from Xiaomi.” – Andrew Blaich, Lead Security Analyst of Bluebox
Despite this, users may still have concerns about some issues. I lead the security team at Xiaomi and I’ll provide answers to these questions below from my perspective.
1.Why didn’t Xiaomi security team respond to Bluebox’s responsible disclosure in time?
First of all, let me list out the facts.
a) email@example.com received three emails from firstname.lastname@example.org on February 18, 2015, February 19, 2015 and February 24, 2015.
b)email@example.com had the spam filter turned on, due to the heavy spamming and large amount of junk received since the email address was published online.
c)The emails from firstname.lastname@example.org were unfortunately marked as spam by the spam filter and thus stayed unread until March 5, 2015.
d) Since March 5, my team has been working closely with Bluebox to resolve the issues at hand.
I do acknowledge that it was a lapse on our part for not responding to Bluebox in time. On behalf of Xiaomi, I apologize for the amateur mistake of placing a spam filter on that important email account.
However, I’d like to highlight a valid concern: Were Bluebox’s attempts to contact Xiaomi adequate, given the severity of their accusations?
This issue has, however, given us the impetus to further improve our response to responsible disclosures.
The responsible disclosure process is not new to Xiaomi. We have an official responsible disclosure policy and we offer a bug bounty program. The program has been running for over a year, and 144 white-hats have responsibly disclosed vulnerabilities to us via this channel. About half of the vulnerabilities disclosed turn out to be valid bugs with various severities. All vulnerabilities received by February 18, 2015, were from the Chinese security community and we therefore had not invested resources into the internationalization of that page.
To improve this aspect of our operations, we are taking the following steps:
a)We have turned off the spam filter on the email@example.com address.
b)We read through all the old emails in the spam folder, and we have assigned an engineer to read all emails sent to firstname.lastname@example.org manually from now on.
c)We have written a script to send a heart-beat email to email@example.com daily to ensure this email address is alive.
d)We have internationalized our responsible disclosure policy page. We are also working on methods to pay overseas white-hats in US dollars.
2.If Bluebox can be confused, how can hundreds of millions of customers be savvy enough to identify the counterfeit? Can Xiaomi make it impossible for others to counterfeit or tamper a legitimate device?
These are complex issues, and here is why:
a)The counterfeit issue is basically a problem of authentication. Unfortunately we can’t digitally sign the hardware (yet). Even if we did, consumers won’t be able to verify the signature with their naked eyes.
b)Every security expert knows that no device can be bullet-proof under physical attacks. I don’t think Bluebox, Apple, nor the NSA can make such a magic device. Even the iPhone can be tampered with a bogus charger just a little over a year back. It is only a matter of making the device harder to tamper. Unless devices can be truly individualized, it’s always possible for someone to figure out a way to jailbreak a device and weaponise that into a tool everyone can use. According to this Wikipedia page, all old iPhones have been jailbroken within months or even days.
How exactly can a fake device show benchmark scores that indicate it is a real device?
This thread may help you understand more about how this is possible: some fans in Vietnam have screenshots of a fake Mi 4 tricking CPU-Z and Antutu into identifying the phone as real: http://en.miui.com/thread-42873-1-1.html.Here is how it works:
a)Some “entrepreneurial” retailers pre-install a tampered version of apps that people typically use to verify the hardware into a hidden folder.
b)During the installation process, if the name of a newly-downloaded app gets matched to any pre-installed app in that folder, the tampered version of the app is installed instead of the one that the user just downloaded.
c)This means that the user will end up with a tampered version of the app, which shows results that match a real device.
Counterfeit product manufacturers are getting smarter every day. Here are the steps Xiaomi has taken to counter the problem of counterfeit devices:
a)We recommend that consumers only purchase Xiaomi devices through Mi.com and our select retail partners such as official mobile operator stores. In security terms, if the data is running in plaintext, we have to rely on the dedicated transportation channel to protect the integrity.
Rajat Agrawal said it perfectly here: “It is not just the Apple iPhones and Samsung Galaxies that get counterfeited there but even local Chinese smartphone brands that are popular but are limited in supply. Xiaomi is a perfect example, as thousands of units of its smartphones get snapped up within minutes if not seconds during flash sales. However, the counterfeiting is quite contained internally, since strict import regulations and checks ensure that these units never make it to western countries.” It is therefore understandable that a lot of people based outside China have very little experience dealing with counterfeit products, especially if there aren’t legitimate devices to compare with.
b)Xiaomi created a “Mi Identifier” app which is available on https://jd.mi.com, where Bluebox downloaded the app. At the link https://jd.mi.com, there is red Chinese text on glaring yellow background that reminds the user: “Note: the verification result will only be displayed on this webpage. It should be a counterfeit if the result is shown on the mobile phone directly.” It is therefore understandable that a foreigner who cannot read Chinese will miss the warning text. We are working on the international version of this app right now.
c)Without disclosing any technical details, I can say that Xiaomi’s engineers are working hard to improve anti-tamper resistance in our future versions of devices.
As a security engineer myself, if I were to set out to do research on Mi devices from the US, I would personally take a few more steps for precaution:
a)Ask two trusted friends in China or India (two sources) to make separate purchases from official channels and bring those devices to me with chain of custody maintained;
b)If CoC is broken, consider all UI results from the device itself untrusted;
c)After finding the resigned CPU-Z in the hidden directory, disassemble that app and find out why it is there;
We received a sample of a resigned “Mi Identifier” APK file from Bluebox. We had the following findings within 10 minutes:
a)The code is pseudo-encrypted, which we never do. It is presumably hiding behavior in the encrypted part.
b)The file cannot be installed on a normal Android device.
c)The code of the file behaves in such a way that it first checks if it is running in the tampered ROM. If not, it crashes.
After removing that checking line in the code, we repackaged the app and got it running on a Samsung phone. It reported the Samsung device as a Mi 4!
3.If they were testing on a legitimate Mi 4 device, how many statements in the original Bluebox blog entry would be inaccurate?
I’d like to make it 100% clear that:
a)None of the malware listed in Bluebox’s blog post is preinstalled on any legitimate Mi phone. Xiaomi would never do such a thing. In fact, I would resign from the company if anything as such happens when I am here.
b)The release version of Mi 4 is not rooted, and has USB debugging mode disabled by default. The Mi 4‘s release version of ROMs for our customers are signed by our release-key.
c)All the recent China MIUI builds we have submitted have passed CTS and GTS, including the most recent build on March 5, 2015.
d)Google services are not available in China, and we had to provide Mi App Store as an alternative to Google Play for our customers. All Mi phones sold outside of China do not have Mi App Store preinstalled, and they all have Google services including Google Play preinstalled.
We also ran the Bluebox testing app on a Mi 4 LTE device, with Android version 4.4.4KTU84P and MIUI Version MIUI–‐V126.96.36.199.KXDCNBK. Our customers can do the same test on their own Mi 4 device. The app itself is useful, but like any software, it doesn’t tell the whole story. Let me explain the weaknesses found by the Bluebox app first:
a) “-1.50 Device has known vulnerabilities”: This was due to the GraphicsBuffer Overflow bug, which was patched by Google on Feb 2015, and it has been integrated in our next release version which is in Apr on the latest MIUI version.
b) “-0.50 User installed system app present”: This was due to a preinstalled system app call iflytek, which is a voice assistant app. It was installed on data partition because it is too big to fit into SYS.
c) “-0.50 Large number of root cert enabled”: We simply reused the Android Open Source Project’s cert store.
d)“-0.30 Large number of app with system privilege”: I assume this depends on how many apps were installed.
This app also doesn’t consider the fact that MIUI has added a few innovative security features that are not available on other Android phones, and I would like to suggest a few changes:
a)“+1.50 permission manager enabled”: MIUI allows users to allow or deny each privilege for each app since its first release on 2010.
b)“+1.00 all apk files are automatically scanned”: MIUI has a virus scanning engine built-in, and it automatically scan all apk files during the installation process.
c)“+0.50 Auto-start service manager enabled”: MIUI allows users to allow or deny each app to auto-start. I don’t see that on any other Android phones.
Thanks for reading this far. I hope we have all learnt something from this incident and can move on from here. We are looking forward to collaborate with all white-hats (Bluebox included) in the future, to make Mi phones more secure together.