I didn’t believe it at first when I read this article today. However, if you are that power-user kind of guy or gal who isn’t afraid of the command line, you can do the same experiment that I performed and discover the hidden backdoors in the very backyard of your Xiaomi phone or tablet. Here is what I did on my stock Xiaomi MiPad-1 tablet running the KitKat based MIUI (Global ROM v126.96.36.199) to discover these backdoors (you don’t need to be rooted in order to do this):
- Head over to the Play Store and install any terminal app, the one from Jack Palevich is the standard one.
- Disconnect from Internet and restart the device (Make sure that you greenify all apps that start automatically in background like WhatsApp/Skype before that).
- Now, without connecting to the Internet, open the terminal app and run this command to check for open tcp connections: netstat -atp
- It should show you zero connections as you are not online yet.
- Now, start the internet and after a few seconds, run that command again. What should you ideally see? Zero connections because you don’t have any app running yet. However, this is what I saw:
What this means is that Xiaomi has a background app constantly running which establishes a connection with some backend servers as soon as you connect to the Internet. For example, as shown on the first line, an app is listening on the XMPP port and connected to the IP 188.8.131.52. When I looked up this IP Address on the Internet, it was traced to some Chinese ISP, thus confirming my suspicion.
What this essentially means is that the person on the other end of this connection may be doing anything to our device through this established tcp connection. Now, it could well be the case that the app is genuinely listening for an update or something, but as we all know, a backdoor such as this can be exploited by any hackers and used in unintended ways.
By way of this post, its my sincere request to Xiaomi to fix these loopholes in their next updates. Updates should be checked by apps at certain frequency (like once in two days), not by constantly leeching in on the network resources. I really hope that some OTA update comes up soon that takes care of this.