Original source (on modern site) | Article images: [1]
Xiaomi users urged to update devices after researchers find a string of vulnerabilities. (Photo Illustration by Rafael Henrique/SOPA Images/LightRocket via Getty Images) Xiaomi smartphones have a host of security flaws that could allow hackers to steal passwords and compromise social media accounts, according to cybersecurity researchers. The 20 vulnerabilities are related to the Chinese company's deployment of Google's Android operating system. Xiaomi has fixed the flaws, and users should update their phones as soon as possible. The flaws affected a wide range of software running on Xiaomi devices, from the settings app through to its bluetooth software, said Sergey Toshin, founder of Oversecured, the mobile security startup that found the weaknesses. The most dangerous flaws could be abused to grant an attacker "system privileges," Toshin told Forbes, allowing theft of user passwords and access to private user files. However, Toshin does not believe the weaknesses were exploited by malicious hackers. "Xiaomi needs to invest more resources in the security of its devices."
He said that if a hacker had wanted to exploit the most serious weaknesses, they'd likely try to install a malicious app on a Xiaomi phone, either via phishing or through pushing malicious apps on marketplaces like Google Play. From there, a hacker could use the app to exploit one of the weaknesses, and do things like intercept a victim's social network messages, harvest user contacts and collect information about their connected Bluetooth devices, Toshin said. Oversecured disclosed the flaws to Xiaomi last week after testing them on a Xiaomi 13 Ultra. "We believe every device was vulnerable since [the flaws] are part of the firmware," Toshin said. He said the Chinese company patched the vulnerabilities within a week. Xiaomi confirmed it had remediated all the vulnerabilities. He said Xiaomi might be able to avoid significant issues if it gave out larger rewards to hackers as part of its bug bounty program, which it runs over the HackerOne platform. According to HackerOne data, its average payout is between $80 and $100, and it's rewarded hackers with $2,600 in the last 90 days. Comparatively, Google paid out $3.4 million to Android security researchers in 2023. A Xiaomi spokesperson said the company had "an industry-leading security team" and was working with Google and Hackerone "to build secure Android systems." But Toshin said Xiaomi's current payouts were "significantly lower than those of Google" and that "Xiaomi needs to invest more resources in the security of its devices." ForbesAn Ex-DOD Hacker Raises $20 Million To Stop ChatGPT-Fueled CyberattacksBy Thomas BrewsterForbesShe Fled Iran And Became An Israeli Cyber Spy. Now She's Raised $30 Million For A Security Startup.By Thomas BrewsterForbesHackers Breached Hundreds Of Companies' AI Servers, Researchers SayBy Thomas BrewsterForbesRussian Hackers' Lawsuit Reveals Weaknesses In Apple's iOS 16By Thomas Brewster Follow me on Twitter. Check out my website. Send me a secure tip. MORE FROM FORBES
![[1]](image.php?loc=AR&i=https://imageio.forbes.com/specials-images/imageserve/663298318f686bf9ad9b2638/0x0.jpg?format=jpg&height=900&width=1600&fit=bounds){kind=link}