Lithuania has told its civil servants to jettison their Chinese-made smartphones after experts found they contained automatic censorship software and other security flaws.
One popular handset from Xiaomi, a Chinese firm that sells more of the devices in the European Union than any other manufacturer, was discovered to be capable of detecting and blanking out the terms “Free Tibet”, “democratic movement” and “Long live Taiwan’s independence”.
The phone also turned out to be sending information about its owners’ activities, including how long they spent using different apps, to a proprietary server in Singapore, beyond the reach of the EU’s strict data laws.
“Overall I think all these findings are worrying,” said Margiris Abukevicius, the Lithuanian deputy defence minister. “It’s one thing to say that you don’t trust Chinese technologies, but we can put proof on the table that there are sensitive security risks and flaws in the equipment.”
The tiny Baltic state, with fewer than 3 million people, has taken a defiantly assertive stance against China in recent months.
Last month it established informal diplomatic relations with Taiwan, an autonomous island that Beijing regards as part of its territory and intends to absorb into China in the coming years.
China responded by recalling its ambassador from Lithuania and accusing the government of “severely undermining China’s sovereignty and territorial integrity”.
Since then it has suspended railway freight links to Lithuania and imposed a de facto trade embargo on the country in several sectors, including timber and agriculture.
The smartphone study, published this week by the Lithuanian defence ministry’s cybersecurity centre, is likely to exacerbate the conflict.
There are already security concerns over the involvement of Chinese telecommunications firms such as Huawei in building Europe’s next-generation 5G mobile phone networks.
Abukevicius, 40, said the report would probably prompt his government to ban other Chinese-made devices from its systems.
“We want to ensure that our state institutions and institutions working in national security should only use trusted vendors and trusted technologies,” he said.
“When it comes to the public, the aim of this report is to make them aware of the security risks, and then they can make their own decisions about how big their appetite for risk is.”
The researchers analysed three bestselling devices from Xiaomi, Huawei and OnePlus, each of which has a substantial share of the EU’s smartphone sales.
They found a total of ten “instances of increased cybersecurity risk”. The Xiaomi Mi 10T phone had a built-in blacklist running to 449 Chinese phrases for political and religious groups and movements, ranging from “independence of [inner] Mongolia” to Voice of America, a US government broadcaster.
These terms could be automatically censored on messaging and web browsing apps, effectively blocking users from looking up sensitive subjects. The function had been switched off in the EU but could be reactivated remotely at any time, potentially “jeopardising free access to information and limiting its accessibility”, according to the report.
Abukevicius said the blacklist was updated every few days and was capable of being expanded to include words from western languages.
The report also said that Huawei’s mobile app store directed smartphone users to other platforms rife with fake apps that acted as a cover for viruses and spyware. No vulnerabilities were identified in the OnePlus phone.
Xiaomi has yet to respond to the report but a Huawei spokesman denied that its phones sent users’ information to third parties.