The IBM X-Force Application Security Research Team recently revealed that it has discovered a vulnerability in Xiaomi’s MIUI operating system, which would technically allow for an attacker to execute code remotely on a device through man-in-the-middle attacks. The good news is that the vulnerability has been addressed by Xiaomi, and as a PSA, owners of Xiaomi smartphones are advised to update their devices to the latest available firmware.
IBM’s security team have discovered the remote code execution (RCE) vulnerability in Xiaomi’s proprietary operating system many months ago, and the issue was privately disclosed to the Chinese smartphone maker in January 2016. In a recent article, IBM’s researchers revealed that the vulnerability was found in the analytics package, which accompanies a variety of preloaded applications within MIUI. This type of RCE vulnerability can allow attackers to execute arbitrary code remotely and with the privileges of the host application. Technically speaking, the way the vulnerability works is as follows: an analytics package polls RESTful web services periodically in order to determine whether or not an update is available for a given application. The server then responds with a short JSON response which includes a URL, and assuming that the application is outdated, the Android application package (APK) linked through the said URL is downloaded and extracted. The vulnerability itself lies in the fact that the update transaction is carried over insecure connections such as HTTP, meaning that an attacker could use a man-in-the-middle attack to replace the URL with one that contains malicious APK.
The security team has identified “at least four vulnerable applications” within MIUI developer ROM version 6.1.8, one of which was the built-in browser application. Fortunately and according to IBM, Xiaomi’s security team was quick to confirm and classify the vulnerability. Moreover, the issue has already been fixed in Xiaomi MIUI Global Stable version 7.2, and Xiaomi users around the world are advised to check their firmware version and update their devices, if applicable. As for mitigating future vulnerabilities, IBM’s security team believes that developers should transact code-related data only over verified connections such as TLS. Additionally, because this type of vulnerability seems to become an increasing issue in the security community, the team believes that “a discussion should take place” in regards to whether or not any applications should be able to “execute unsigned code via DexClassLoader” or indeed, “any other method on the Android platform”.