Xiaomi smartphones are at risk of Man-in-the-Middle (MitM) attacks thanks to a remote code execution vulnerability. Researchers discovered and reported this critical exploit to Xiaomi earlier this year, which has now patched the flaws. The vulnerability could have been exploitedbyattackers to gain complete control of infected handsets.

IBM discovers critical bugs in Xiaomi MIUI OS

Xiaomiis world's third largest smartphone manufacturer, which managed to sell over 70 million devices last year alone. Millions of these devices could bevulnerable to a severeremote code execution (RCE) flawthat grants attackers complete control of the infected devices. This vulnerability exists in the company's implementation of the Android operating system. MIUI, a custom flavor based on Android 6.0 Marshmallow, ships with Xiaomi's devices, and is also available to be flashed on devices sold by other vendors.

Discovered by IBM X-Force researcher David Kaplan, this flaw potentially offersattackers privileged network access (e.g. public WiFi), using which they can install malware remotely on the affected devices. This vulnerability was present in the analytics packages that exists in various applications shipping with MIUI. All these apps in the MIUI Developer ROM version 6.1.8 are vulnerable to remote code execution via man-in-the-middle attacks, including the built-in browser app.

These apps offer different capabilities and privileges, researchers warned. Vulnerable apps could be abused to provide ROM updates remotely, enabling apps to run with theprivileges of its host app. These updates are performed over an insecure HTTP link, instead of HTTPS, making way for MitM attacks. "If avulnerable applicationwas found to be running as the system user, a good portion of the Android’s user space would be compromised," Kaplan said.

IBM informed Xiaomi of this vulnerability in January, and the company has now patched it. Xiaomi has started sending over-the-air updates to its devices worldwide. Users are advised to update toMIUI Global Stable version 7.2 based on Android 6.0 as soon as it becomes availableto get these critical fixes.