來源| 國際投行研究報告
【摘要】:51可以說是雷軍的節日,因為很多人都說雷軍就是勞動模範,不過,一個黑客哥們可能也是勞動模範,這次,勞動模範雷軍可能碰到了一個棘手的勞動模範黑客的挑戰問題。
福布斯在勞動節發了一篇著名黑客的調查,表示小米智慧型手機大規模侵犯個人隱私,即使在匿名無痕瀏覽狀態之下也會上傳你的瀏覽記錄包括一些色情網站等的個人隱私信息,而且傳播的時候是帶著你的手機的特點信息的。
然後小米通過博客作了公開回應,認為黑客哥們的的說法是不真實錯誤的,黑客可能沒弄清楚小米的隱私政策。
不過,看一下黑客哥們的推,發現這黑客是來者不善,勞動節也不休息,專門錄製了一段小米傳輸記錄的視頻,並且表示,我就是你最糟糕的公關噩夢。
南華早報:研究者稱
小米手機發送搜索和瀏覽數據回中國
「It’s a backdoor with phone functionality,」 quips Gabi Cirlig about his new Xiaomi phone. He’s only half-joking.
Cirlig is speaking with Forbes after discovering that his Redmi Note 8 smartphone was watching much of what he was doing on the phone. That data was then being sent to remote servers hosted by another Chinese tech giant, Alibaba, which were ostensibly rented by Xiaomi.
The seasoned cybersecurity researcher found a worrying amount of his behavior was being tracked, whilst various kinds of device data were also being harvested, leaving Cirlig spooked that his identity and his private life was being exposed to the Chinese company.
「這是具有電話功能的後門,」加比·西裡格(Gabi Cirlig)嘲笑他的新小米手機。他只是在開玩笑。
Cirlig發現自己的Redmi Note 8智慧型手機正在注視著他在手機上所做的許多事情後,便與《福布斯》進行了交談。然後,這些數據被發送到另一家中國科技巨頭阿里巴巴託管的遠程伺服器上,這些伺服器表面上是小米租用的。
這位經驗豐富的網絡安全研究員發現,他的行為令人擔憂,同時還收集了各種設備數據,這使Cirlig感到驚恐,因為他的身份和私生活正暴露給這家中國公司。
When he looked around the Web on the device’s default Xiaomi browser, it recorded all the websites he visited, including search engine queries whether with Google or the privacy-focused DuckDuckGo, and every item viewed on a news feed feature of the Xiaomi software. That tracking appeared to be happening even if he used the supposedly private 「incognito」 mode.
The device was also recording what folders he opened and to which screens he swiped, including the status bar and the settings page. All of the data was being packaged up and sent to remote servers in Singapore and Russia, though the Web domains they hosted were registered in Beijing.
當他在設備的默認小米瀏覽器上瀏覽網絡時,它記錄了他訪問過的所有網站,包括使用Google或專注於隱私的DuckDuckGo進行的搜尋引擎查詢,以及在小米軟體的新聞提要功能上查看的每個項目。即使他使用了所謂的私有「隱身」模式,該跟蹤似乎仍在發生。
該設備還記錄了他打開了哪些文件夾以及向哪個屏幕滑動,包括狀態欄和設置頁面。所有數據都被打包並發送到新加坡和俄羅斯的遠程伺服器,儘管它們託管的Web域在北京註冊。
Meanwhile, at Forbes』 request, cybersecurity researcher Andrew Tierney investigated further. He also found browsers shipped by Xiaomi on Google Play—Mi Browser Pro and the Mint Browser—were collecting the same data. Together, they have more than 15 million downloads, according to Google Play statistics.
Many more millions are likely to be affected by what Cirlig described as a serious privacy issue, though Xiaomi denied there was a problem. Valued at $50 billion, Xiaomi is one of the top four smartphone makers in the world by market share, behind Apple, Samsung and Huawei. Xiaomi’s big sell is cheap devices that have many of the same qualities as higher-end smartphones. But for customers, that low cost could come with a hefty price: their privacy.
同時,應福布斯的要求,網絡安全研究員安德魯·蒂爾尼(Andrew Tierney)進行了進一步調查。他還發現小米在Google Play上發布的瀏覽器(Mi Browser Pro和Mint Browser)正在收集相同的數據。根據Google Play的統計,它們的下載量總計超過1500萬。
儘管小米否認存在問題,但還有更多的人可能會受到Cirlig所說的嚴重的隱私問題的影響。小米的市值達500億美元,是全球市場前四大智慧型手機製造商之一,僅次於蘋果,三星和華為。小米最大的賣點是便宜的設備,它們具有與高端智慧型手機相同的質量。但是對於客戶而言,這種低成本可能會帶來高昂的價格:他們的隱私。
Cirlig thinks that the problems affect many more models than the one he tested. He downloaded firmware for other Xiaomi phones—including the Xiaomi MI 10, Xiaomi Redmi K20 and Xiaomi Mi MIX 3 devices. He then confirmed they had the same browser code, leading him to suspect they had the same privacy issues.
And there appear to be issues with how Xiaomi is transferring the data to its servers. Though the Chinese company claimed the data was being encrypted when transferred in an attempt to protect user privacy, Cirlig found he was able to quickly see just what was being taken from his device by decoding a chunk of information that was hidden with a form of easily crackable encoding, known as base64. It took Cirlig just a few seconds to change the garbled data into readable chunks of information.
「My main concern for privacy is that the data sent to their servers can be very easily correlated with a specific user,」 warned Cirlig.
Cirlig認為,問題所影響的型號比他所測試的型號還要多。他下載了其他小米手機的固件,包括小米MI 10,小米Redmi K20和小米MIX 3設備。然後,他確認它們具有相同的瀏覽器代碼,從而使他懷疑它們具有相同的隱私問題。
小米將數據傳輸到其伺服器的方式似乎存在問題。儘管這家中國公司聲稱為了保護用戶隱私而對數據進行了加密,但Cirlig發現,他可以通過解碼大量信息(通過一種很容易隱藏的形式)來快速查看從設備中竊取的內容。易破解的編碼,稱為base64。Cirlig只花了幾秒鐘的時間就將亂碼的數據變成了可讀的信息塊。
「我對隱私的主要關注是發送到其伺服器的數據可以很容易地與特定用戶相關聯,」 Cirlig警告說。
Xiaomi’s response
小米的回覆
In response to the findings, Xiaomi said, 「The research claims are untrue,」 and 「Privacy and security is of top concern,」 adding that it 「strictly follows and is fully compliant with local laws and regulations on user data privacy matters.」 But a spokesperson confirmed it was collecting browsing data, claiming the information was anonymized so wasn’t tied to any identity. They said that users had consented to such tracking.
But, as pointed out by Cirlig and Tierney, it wasn’t just the website or Web search that was sent to the server. Xiaomi was also collecting data about the phone, including unique numbers for identifying the specific device and Android version. Cirlig said such 「metadata」 could 「easily be correlated with an actual human behind the screen.」
Xiaomi’s spokesperson also denied that browsing data was being recorded under incognito mode. Both Cirlig and Tierney, however, found in their independent tests that their web habits were sent off to remote servers regardless of what mode the browser was set to, providing both photos and videos as proof.
When Forbes provided Xiaomi with a video made by Cirlig showing how his Google search for 「porn」 and a visit to the site PornHub were sent to remote servers, even when in incognito mode, the company spokesperson continued to deny that the information was being recorded. 「This video shows the collection of anonymous browsing data, which is one of the most common solutions adopted by internet companies to improve the overall browser product experience through analyzing non-personally identifiable information,」 they added.
Both Cirlig and Tierney said Xiaomi’s behavior was more invasive than other browsers like Google Chrome or Apple Safari. 「It’s a lot worse than any of the mainstream browsers I have seen,」 Tierney said. 「Many of them take analytics, but it's about usage and crashing. Taking browser behavior, including URLs, without explicit consent and in private browsing mode, is about as bad as it gets.」
Cirlig also suspected that his app use was being monitored by Xiaomi, as every time he opened an app, a chunk of information would be sent to a remote server. Another researcher who』d tested Xiaomi devices, though was under an NDA to discuss the matter openly, said he』d seen the manufacturer’s phone collect such data. Xiaomi didn’t respond to questions on that issue.
小米在回應調查結果時說:「研究聲稱是不真實的,而隱私和安全是頭等大事。」他補充說,「嚴格遵守並完全遵守有關用戶數據隱私問題的當地法律法規。」但是一位發言人證實,它正在收集瀏覽數據,聲稱該信息是匿名的,因此與任何身份無關。他們說用戶已經同意這種跟蹤。
但是,正如Cirlig和Tierney所指出的那樣,發送到伺服器的不僅僅是網站或網絡搜索。小米還收集有關手機的數據,包括用於識別特定設備和Android版本的唯一編號。Cirlig說,這樣的「元數據」可以「很容易地與屏幕後面的實際人相關聯。」
小米發言人還否認瀏覽數據是在隱身模式下記錄的。但是,Cirlig和Tierney均在獨立測試中發現,無論瀏覽器設置為哪種模式,他們的網絡習慣都會發送到遠程伺服器,同時提供照片和視頻作為證明。
當福布斯向小米提供由Cirlig製作的視頻時,即使是在隱身模式下,該視頻也顯示了他的Google搜索「色情」內容和對PornHub網站的訪問是如何發送到遠程伺服器的,該公司發言人繼續否認信息被記錄。他們補充說:「該視頻顯示了匿名瀏覽數據的收集,這是網際網路公司通過分析非個人可識別信息來改善整體瀏覽器產品體驗的最常見解決方案之一。」
Cirlig和Tierney都說,小米的行為比其他瀏覽器(例如Google Chrome或Apple Safari)更具侵略性。Tierney說:「這比我見過的任何主流瀏覽器都差很多。」 「他們中的許多人都接受分析,但這與使用和崩潰有關。未經明確同意並以私密瀏覽模式進行瀏覽器行為(包括URL),就和它一樣糟糕。」
Cirlig還懷疑小米會監視他的應用程式使用,因為每次打開某個應用程式時,大量信息都會發送到遠程伺服器。另一位曾測試過小米設備的研究人員儘管處於保密協議之下,正在公開討論此事,但他表示,他已經看到製造商的電話正在收集此類數據。小米未回答有關該問題的問題。
『Behavioral Analytics』
行為分析
Xiaomi appears to have another reason for collecting the data: to better understand its users』 behavior. It’s using the services of a behavioral analytics company called Sensors Analytics. The Chinese startup, also known as Sensors Data, has raised $60 million since its founding in 2015, most recently taking $44 million in a round led by New York private equity firm Warburg Pincus, which also featured funding from Sequoia Capital China. As described in Pitchbook, a tracker of company funding, Sensors Analytics is a 「provider of an in-depth user behavior analysis platform and professional consulting services.」 Its tools help its clients in 「exploring the hidden stories behind the indicators in exploring the key behaviors of different businesses.」
Both Cirlig and Tierney found their Xiaomi apps were sending data to domains that appeared to reference Sensors Analytics, including the repeated use of SA. When clicking on one of the domains, the page contained one sentence: 「Sensors Analytics is ready to receive your data!」 There was an API called SensorDataAPI—an API (application programming interface) being the software that allows third parties access to app data. Xiaomi is also listed as a customer on Sensors Data’s website.
The founder and CEO of Sensors Data, Sang Wenfeng, has a long history in tracking users. At Chinese internet giant Baidu he built a big data platform for Baidu user logs, according to his company bio.
Xiaomi’s spokesperson confirmed the relationship with the startup: 「While Sensors Analytics provides a data analysis solution for Xiaomi, the collected anonymous data are stored on Xiaomi's own servers and will not be shared with Sensors Analytics, or any other third-party companies.」
It’s the second time in two months that a huge Chinese tech company has been seen watching over users』 phone habits. A security app with a 「private」 browser made by Cheetah Mobile, a public company listed on the New York Stock Exchange, was seen collecting information on Web use, Wi-Fi access point names and more granular data like how a user scrolled on visited Web pages. Cheetah argued it needed to collect the information to protect users and improve their experience.
Late in his research, Cirlig also discovered that Xiaomi’s music player app on his phone was collecting information on his listening habits: what songs were played and when.
One message was clear to the researcher: when you’re listening, Xiaomi is listening, too.
小米似乎還有另一個收集數據的理由:更好地了解其用戶的行為。它使用的是行為分析公司Sensors Analytics的服務。自2015年成立以來,這家中國初創公司又被稱為Sensors Data,已經籌集了6000萬美元,最近在紐約私募股權公司Warburg Pincus領投的一輪融資中獲得了4400萬美元,該輪融資還來自紅杉資本中國。正如公司資金追蹤器Pitchbook所述,Sensors Analytics是「深入的用戶行為分析平臺和專業諮詢服務的提供者」。它的工具可幫助客戶「探索指標背後的隱藏故事,以探索不同業務的關鍵行為。」
Cirlig和Tierney都發現他們的Xiaomi應用程式正在將數據發送到似乎引用Sensors Analytics的域,包括重複使用SA。單擊其中一個域時,頁面包含一句話:「 Sensors Analytics已準備就緒,可以接收您的數據!」有一個稱為SensorDataAPI的API-一種API(應用程式編程接口),它是允許第三方訪問應用程式數據的軟體。小米在Sensors Data的網站上也被列為客戶。
Sensors Data的創始人兼執行長桑文峰在追蹤用戶方面擁有悠久的歷史。據他的公司介紹,在中國網際網路巨頭百度,他為百度用戶日誌構建了一個大數據平臺。
小米的發言人證實了與這家初創公司的關係:「雖然Sensors Analytics為小米提供了數據分析解決方案,但收集的匿名數據存儲在小米自己的伺服器上,不會與Sensors Analytics或任何其他第三方公司共享。」
這是兩個月來第二次看到一家大型中國科技公司關注用戶的電話習慣。在紐約證券交易所上市的Cheetah Mobile(一家上市公司)開發的一款帶有「私有」瀏覽器的安全應用被發現收集了有關Web使用,Wi-Fi接入點名稱以及更細粒度的數據(如用戶如何滾動訪問)的信息。網頁。獵豹認為,它需要收集信息以保護用戶並改善他們的體驗。
在研究的後期,Cirlig還發現小米手機上的音樂播放器應用正在收集有關他的收聽習慣的信息:播放什麼歌曲以及何時播放。
研究人員清楚地傳達了一條信息:當您在聽時,小米也在聽。
UPDATE: Xiaomi posted a blog in which it delineated how and when it collects visited URLs visited by its users. Read it in full here.
The company reiterated that the data transferred from Xiaomi devices and browsers was anonymized and not attached to any identity.
更新:小米發布了一個博客,其中描述了如何以及何時收集其用戶訪問的訪問URL。在這裡完整閱讀。
該公司重申,從小米設備和瀏覽器傳輸的數據是匿名的,沒有附加任何身份。
小米公司希望其用戶在這段困難時期保持安全。昨天發表了一篇關於小米隱私政策的文章,其中對我們的瀏覽器數據收集和存儲流程存在幾個不準確和誤解。我們在下面的備份文檔中提供支持我們立場的重要說明:
小米評論了《福布斯》最近一篇關於我們隱私政策的文章,並認為這篇報導歪曲了事實。在小米,我們用戶的隱私和安全是重中之重。我們嚴格遵守並完全遵守我們運營的國家和地區的用戶隱私保護法律法規。鑑於這些失實陳述,我們想澄清以下幾點:
1.在所有小米正式入駐的全球市場,為了提供儘可能好的用戶體驗,增加作業系統與各種應用之間的兼容性,並承擔保護用戶隱私的義務,所有收集的使用數據都是基於我們用戶明確許可和同意的。此外,我們還確保整個過程是匿名和加密的。匯總使用統計數據的收集用於內部分析,我們不會將任何個人身份信息與這些數據中的任何數據相關聯。此外,這是世界各地的網際網路公司普遍採用的解決方案,以改善各種產品的整體用戶體驗,同時保護用戶隱私和數據安全。
2.小米在公有雲基礎設施上託管信息,該公有雲基礎設施是行業內常見和知名的。我們海外服務和用戶的所有信息都存儲在各個海外市場的伺服器上,這些市場嚴格遵守當地用戶隱私保護法律和法規,我們也完全遵守這些法律和法規。
3.上述文章發表前,記者給我們發了郵件,提出了與文章相關的問題,小米以完全透明的方式做出回應,就我們的技術和隱私政策提供了詳細的解答。我們認為發表的文章沒有準確反映這些通信的內容和事實。在文章發布後,我們聯繫了記者,進一步澄清了這一點,目前正在討論中,目的是迅速向他們保證我們的數據安全流程是如何運作的。
4.作為一家網際網路公司,網絡安全和用戶隱私是小米遵守的核心原則,也是我們日常工作的基礎。我們在用戶隱私保護方面的產品、技術、性能和措施都在不斷完善。在我們最新推出的作業系統MIUI 12中,我們採用了迄今為止業界最嚴格和最透明的隱私保護措施。為了增加透明度,我們始終歡迎公眾以事實為基礎的監督、詢問和討論,以不斷改進我們為親愛的用戶和米粉提供的產品和服務。
印度媒體對小米回復的報導
小米在聲稱網絡數據被記錄後感到「誤解」
為了遏制小米昨天被控記錄瀏覽數據還有電話習慣的的喧囂,這家中國科技巨頭髮了一個博客帖子為其數據實踐辯護。
此前,網絡安全研究人員Cirlig告訴福布斯他的Redmi Note 8上的每一次觸摸都被記錄下來並發送到遠程伺服器。這包括打開哪個文件夾、哪個屏幕被滑動、播放哪首歌等等。
Cirlig最擔心的是被記錄在小米默認瀏覽器和薄荷瀏覽器上的瀏覽數據。這位研究人員稱,小米正在錄製谷歌的查詢、訪問的網站、以及在新聞上瀏覽的內容。
Cirlig在一段視頻中證明,即使在隱匿模式下,私人數據的記錄也不會停止。他還證實了小米其他智慧型手機也採用了同樣的做法。
在這篇博文中,小米聲稱收集到的數據被匯總並用於內部分析。此外,所有內容都是用戶同意的,並且是基於權限的。
這是世界各地的網際網路公司為提高各種產品的整體用戶體驗而採取的共同解決方案,同時也保護了用戶的隱私和數據安全。
小米寫道,聚合使用統計數據,如系統信息、用戶界面功能使用、響應性和性能,不能用於識別單個用戶。它還說,只有當功能打開時,瀏覽數據才是「同步的」。
至於小米默認瀏覽器中的匿名模式,該公司否認了該研究人員關於數據收集的說法,但它寫道,匯總使用統計數據仍在收集之中。此外,小米僅部分否認了網絡數據以匿名方式錄製的視頻證據。它說,視頻顯示收集「匿名瀏覽數據」。
有趣的是,這篇博文並沒有包含小米發言人沒有告訴「福布斯」的任何內容。雖然收集到的數據是匯總的,但Cirlig告訴小米的手機數據中包含了識別特定設備的唯一號碼。這與從瀏覽器中獲取的數據「很容易與屏幕後面的實際人員相關聯」。