IBM discovers critical bugs in Xiaomi MIUI OS
Xiaomi is world’s third largest smartphone manufacturer, which managed to sell over 70 million devices last year alone. Millions of these devices could be vulnerable to a severe remote code execution (RCE) flaw that grants attackers complete control of the infected devices. This vulnerability exists in the company’s implementation of the Android operating system. MIUI, a custom flavor based on Android 6.0 Marshmallow, ships with Xiaomi’s devices, and is also available to be flashed on devices sold by other vendors.
Discovered by IBM X-Force researcher David Kaplan, this flaw potentially offers attackers privileged network access (e.g. public WiFi), using which they can install malware remotely on the affected devices. This vulnerability was present in the analytics packages that exists in various applications shipping with MIUI. All these apps in the MIUI Developer ROM version 6.1.8 are vulnerable to remote code execution via man-in-the-middle attacks, including the built-in browser app.
These apps offer different capabilities and privileges, researchers warned. Vulnerable apps could be abused to provide ROM updates remotely, enabling apps to run with the privileges of its host app. These updates are performed over an insecure HTTP link, instead of HTTPS, making way for MitM attacks. “If a vulnerable application was found to be running as the system user, a good portion of the Android’s user space would be compromised,” Kaplan said.
IBM informed Xiaomi of this vulnerability in January, and the company has now patched it. Xiaomi has started sending over-the-air updates to its devices worldwide. Users are advised to update to MIUI Global Stable version 7.2 based on Android 6.0 as soon as it becomes available to get these critical fixes.
