Incident: Xiaomi Mobile Phones Found with Built-in Censorship Capabilities

Published Date: 2021-09-21

Postmortem Analysis
Timeline 1. The software failure incident involving Xiaomi's Mi 10T 5G phone with built-in censorship capabilities happened when the article was published on September 21, 2021 [Article 119381].
System The software failure incident reported in Article 119381 involved the following systems/components/models: 1. Xiaomi Mi 10T 5G phone software - had built-in censorship capabilities to detect and censor specific terms like "Free Tibet", "Long live Taiwan independence", or "democracy movement" [119381]. 2. P40 5G phone by China's Huawei - a security flaw was found in this phone [119381].
Responsible Organization 1. Xiaomi Corp was responsible for causing the software failure incident by including built-in censorship capabilities in their Mi 10T 5G phone software, as reported by Lithuania's Defence Ministry and National Cyber Security Centre [119381].
Impacted Organization 1. Consumers in Europe were impacted by the software failure incident involving Xiaomi's Mi 10T 5G phone, as it had built-in censorship capabilities [119381].
Software Causes 1. The software cause of the failure incident was the built-in censorship capabilities in Xiaomi's Mi 10T 5G phone software, which could detect and censor terms such as "Free Tibet", "Long live Taiwan independence", or "democracy movement" [119381].
Non-software Causes 1. Geopolitical tensions between Lithuania and China, leading to strained relations and diplomatic issues [119381]. 2. Concerns over data privacy and security due to the discovery of encrypted phone usage data being sent to a server in Singapore [119381].
Impacts 1. The software failure incident involving Xiaomi's Mi 10T 5G phone software had built-in censorship capabilities, detecting and censoring terms such as "Free Tibet", "Long live Taiwan independence", or "democracy movement" [Article 119381]. 2. The incident led to the recommendation from Lithuania's Defense Ministry for consumers to avoid buying new Chinese phones and advised people to dispose of the ones they already have as quickly as reasonably possible [Article 119381]. 3. The relationship between Lithuania and China soured further as a result of the incident, with China demanding the withdrawal of Lithuania's ambassador in Beijing and recalling its envoy to Vilnius [Article 119381]. 4. The software flaw also involved the Xiaomi phone sending encrypted phone usage data to a server in Singapore, raising concerns about data privacy and security [Article 119381].
Preventions 1. Implementing thorough security assessments and audits during the development phase of the software to identify and address any potential vulnerabilities [119381]. 2. Conducting regular security checks and updates on the software to ensure that any potential risks or flaws are promptly addressed [119381]. 3. Establishing strict data privacy and security protocols to prevent unauthorized access or transmission of sensitive user information [119381].
Fixes 1. Implement a software update to permanently disable the built-in censorship capabilities in Xiaomi's Mi 10T 5G phone for all regions, ensuring that the censorship feature cannot be turned on remotely [119381].
References 1. Lithuania's Defense Ministry 2. Defence Deputy Minister Margiris Abukevicius 3. National Cyber Security Centre 4. Xiaomi Corp 5. Huawei's representative in the Baltics 6. BNS news wire 7. U.S. President Joe Biden's national security adviser Jake Sullivan 8. Taiwanese Representative Office 9. Reuters

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization (a) The software failure incident related to censorship capabilities in Chinese mobile phones, specifically Xiaomi's Mi 10T 5G phone, occurred within the same organization, Xiaomi Corp. The incident involved built-in censorship capabilities that could detect and censor certain terms. The Defence Ministry's National Cyber Security Centre found that the censorship capability had been turned off for the European Union region but could be turned on remotely at any time [119381]. (b) The software failure incident involving the Xiaomi phone's censorship capabilities is not explicitly mentioned to have occurred at multiple organizations in the provided article.
Phase (Design/Operation) design, operation (a) The software failure incident related to the design phase is evident in the article. The article reports that Lithuania's Defense Ministry recommended consumers to avoid buying Chinese mobile phones, specifically mentioning Xiaomi's Mi 10T 5G phone, due to built-in censorship capabilities. The article highlights that the censorship capability in Xiaomi's software had been turned off for the "European Union region" but could be turned on remotely at any time [119381]. (b) The software failure incident related to the operation phase is also apparent in the article. It is mentioned that the Xiaomi phone was sending encrypted phone usage data to a server in Singapore, indicating a potential privacy and security concern related to the operation of the device [119381].
Boundary (Internal/External) within_system (a) The software failure incident related to the Xiaomi mobile phones' censorship capabilities can be categorized as within_system. The article mentions that the Xiaomi Mi 10T 5G phone software had a built-in ability to detect and censor specific terms, such as "Free Tibet" and "Long live Taiwan independence" [119381]. This censorship capability was present within the software of the phone itself, indicating that the failure originated from within the system. Additionally, the article highlights that the capability had been turned off for the European Union region but could be turned on remotely at any time, further emphasizing that the issue was internal to the software system of the phone.
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident related to non-human actions in this case is the built-in censorship capabilities found in Xiaomi's Mi 10T 5G phone software. The software had the ability to detect and censor specific terms such as "Free Tibet", "Long live Taiwan independence", or "democracy movement" [119381]. (b) The software failure incident related to human actions is the potential for the censorship capabilities in Xiaomi's phones to be turned on remotely at any time. This indicates that human actions could potentially activate the censorship features in the software [119381].
Dimension (Hardware/Software) hardware, software (a) The software failure incident related to hardware: The article mentions that the Xiaomi Mi 10T 5G phone software had a built-in ability to detect and censor certain terms, but this capability had been turned off for the European Union region. However, it was highlighted that this censorship capability could be turned on remotely at any time, indicating a potential hardware-related issue where the software could be manipulated externally [119381]. (b) The software failure incident related to software: The article discusses how the Xiaomi phone's software had a flaw that allowed it to censor specific terms such as "Free Tibet" or "democracy movement." This indicates a software-related issue where the software itself was designed to censor certain content, which could be activated remotely [119381].
Objective (Malicious/Non-malicious) malicious (a) The software failure incident described in the article is malicious in nature. The article reports that Lithuania's Defense Ministry recommended consumers to avoid buying Chinese mobile phones, specifically mentioning Xiaomi's Mi 10T 5G phone, due to built-in censorship capabilities that can detect and censor terms such as "Free Tibet", "Long live Taiwan independence", or "democracy movement" [119381]. Additionally, the article mentions that the phone was sending encrypted phone usage data to a server in Singapore, indicating potential privacy concerns and malicious intent behind the software capabilities.
Intent (Poor/Accidental Decisions) poor_decisions, accidental_decisions (a) The intent of the software failure incident was related to poor_decisions. The failure was due to the built-in censorship capabilities in Xiaomi's Mi 10T 5G phone software, which could detect and censor terms such as "Free Tibet", "Long live Taiwan independence" or "democracy movement". The software had the capability to turn on this censorship remotely at any time, indicating a deliberate decision to include such functionality [119381]. (b) Additionally, the software failure incident also involved accidental_decisions as the report mentioned a security flaw in the P40 5G phone by China's Huawei. This flaw was likely unintentional and not a deliberate decision, indicating a mistake or unintended consequence in the software [119381].
Capability (Incompetence/Accidental) development_incompetence, unknown (a) The software failure incident related to development incompetence is evident in the article as the Xiaomi Mi 10T 5G phone software had a built-in ability to detect and censor specific terms, such as "Free Tibet", "Long live Taiwan independence", or "democracy movement". This censorship capability was discovered by Lithuania's state-run cybersecurity body, indicating a lack of professional competence in the development process that allowed such censorship features to be included in the software [119381]. (b) The software failure incident related to accidental factors is not explicitly mentioned in the provided article.
Duration temporary The software failure incident reported in the article is temporary. The article mentions that the censorship capabilities in Xiaomi's Mi 10T 5G phone software had been turned off for the "European Union region" but can be turned on remotely at any time [119381]. This indicates that the failure is temporary and can be activated remotely under certain circumstances.
Behaviour omission, value, other (a) crash: The software failure incident described in the article is not related to a crash where the system loses state and does not perform any of its intended functions [119381]. (b) omission: The software failure incident is related to the system omitting to perform its intended functions at an instance(s) by having built-in censorship capabilities that detect and censor specific terms like "Free Tibet", "Long live Taiwan independence", or "democracy movement" in Xiaomi's Mi 10T 5G phone software [119381]. (c) timing: The software failure incident is not related to timing issues where the system performs its intended functions correctly but too late or too early [119381]. (d) value: The software failure incident is related to the system performing its intended functions incorrectly by censoring specific terms as mentioned above [119381]. (e) byzantine: The software failure incident is not related to a byzantine behavior where the system behaves erroneously with inconsistent responses and interactions [119381]. (f) other: The software failure incident involves the system having a security flaw in the P40 5G phone by Huawei, sending encrypted phone usage data to a server in Singapore, and having a list of terms that could be censored by the Xiaomi phone's system apps [119381].

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence non-human (a) death: There is no mention of any deaths resulting from the software failure incident in the provided article [119381]. (b) harm: The article does not mention any physical harm caused to individuals due to the software failure incident [119381]. (c) basic: The software failure incident did not impact people's access to food or shelter as per the article [119381]. (d) property: The software failure incident did not result in any direct impact on people's material goods, money, or data as reported in the article [119381]. (e) delay: There is no mention of any activities being postponed due to the software failure incident in the article [119381]. (f) non-human: The software failure incident did impact non-human entities, specifically mentioning the Xiaomi phone's built-in censorship capabilities and the sending of encrypted phone usage data to a server in Singapore [119381]. (g) no_consequence: The article does not mention that there were no real observed consequences of the software failure incident [119381]. (h) theoretical_consequence: The article discusses potential consequences of the software failure incident, such as the censorship capabilities of the Xiaomi phone and the security flaw found in the Huawei phone, but it does not mention these potential consequences actually occurring [119381]. (i) other: The article does not mention any other specific consequences of the software failure incident beyond the censorship capabilities and data transmission issues highlighted [119381].
Domain information, finance, government (a) The software failure incident reported in the news article is related to the information industry. The incident involves Chinese mobile phones, specifically Xiaomi's Mi 10T 5G phone, which were found to have built-in censorship capabilities to detect and censor certain terms like "Free Tibet", "Long live Taiwan independence", or "democracy movement" [Article 119381]. (h) Additionally, the incident also has implications for the finance industry as it involves the security and privacy of user data being sent externally by the Xiaomi phone to a server in Singapore [Article 119381]. (m) The incident also touches on the government sector as it mentions the strained relations between Lithuania and China, with China demanding actions related to diplomatic missions, indicating a political aspect to the situation [Article 119381].

Sources

Back to List