Although the flaw in the analytics package in Xiaomi’s custom-built Android-based operating system has been fixed, it could be a while before users install the patch.
Security researchers at IBM, who found the flaw, discovered a number of apps in the package that were vulnerable to a remote code execution flaw through a so-called “man-in-the-muddle” attack and allow an attacker to run arbitrary code at the system-level.
Xiaomi is advising users should update their devices as soon as possible. The flaws rely on a lack of encryption and code-checking and verification. The risk is that if the phone is already hacked the update could be theoretically modified in transit although the hackers would have to be rather quick.
Companies are getting more into trouble for software that they supply with their hardware. Lenovo faced a scandle when some some its bloatware arrived with a particularly nasty security flaw. It did fix it and bundled off a patch, but the case highlighted the risks for suppliers in providing such software to users.