For about $50, you can get a smartphone with a high-definition display, fast data service and, according to security contractors, a secret feature: a backdoor that sends all your text messages to China every 72 hours.
Security contractors recently discovered preinstalled software in some Android phones that monitors where users go, whom they talk to and what they write in text messages. The American authorities say it is not clear whether this represents secretive data mining for advertising purposes or a Chinese government effort to collect intelligence.
Through Chinese manufacturer BLU, some 120.000 BLU phones in the US were affected as well. According to BLU, the company immediately removed the offending software. The original purpose of the software was, supposedly, to aid in the detection of junk messages.
An excuse worthy of the late President Eisenhower himself. Too bad I don’t believe bullshit any better than Khrushchev did.
Security contractors recently discovered preinstalled software in some Android phones that monitors where users go, whom they talk to and what they write in text messages. The American authorities say it is not clear whether this represents secretive data mining for advertising purposes or a Chinese government effort to collect intelligence.
What’s secretive about Google selling advertising spots based on your data?
ezraz,
The top of the article says “preinstalled software”, but deeper in the article it says “At the heart of the issue is a special type of software, known as firmware”. It sounds like the affected phones are going to need a firmware update.
And if it’s true that this is firmware, how do you know whether you’ve gotten the update or not? If it can secretly send your texts out, it can certainly update itself without ever telling anyone.
darknexus,
The odds are it’s not very sophisticated, but hopefully someone reverse engineers it to see what all it does.
You are right, this is a dilemma in general for anyone who’s been compromised, how do you go about proving that it’s clean afterwards? Any software/firmware scanner (ie antivirus products or even secure boot) can be tricked by loading it into a deceptive environment in control of the attacker.
On computers, I can clean-up malware with a known-clean boot CD, however I’m still assuming the firmware is clean. It probably is, but not necessarily.
The only way to absolutely prove the environment isn’t tampered with is to have something outside of the environment to authenticate it, like TPM hardware:
https://en.wikipedia.org/wiki/Trusted_Platform_Module
ARM platforms offer trusted execution zones that might serve a similar purpose. But the issue here is that if the firmware is compromised, then so too may be the trust zone.
http://www.arm.com/products/security-on-arm/trustzone
Anything with firmware is theoretically at risk if an attacker had the opportunity to change it or if the manufacturer’s authentic firmware already has an exploit/back door.
The issue is that the term ‘firmware’ gets really ambiguous when talking about phones or other tight embedded systems. Some people use it to refer to any pre-installed apps that you can’t get rid of, some people use it to mean the OS itself, for others it’s the microkernel running on the baseband processor, and still others stick to the more traditionally established meaning of microcode and similar data.
My guess would be that the phones need re-flashed, and that’s it.
Hopefully we hear from them soon.
The word is ‘affected’ – not ‘effected’, ie. it was not put into effect, there was an affect upon it.
Edited 2016-11-15 20:54 UTC
That sausage wasn’t the House’s
Should We go full vegan?
So when Verizon and AT&T did it for NSA bypassing FISA and all that jazz…
Let me say that again, so Chinese manufacturers monitor terrorist phones for messages and contacts. yay fixed it there for you
I pretty much doubt it being “a Chinese government effort to collect intelligence” for a simple reason: people who buy the cheapest possible phones are very unlikely to circulate info useful for an intelligence agency. Such an attack would be better targetted at a different category of the buying public,
What are ‘burner’ phones at one Country, could be ‘medium range’ phones at another.
Do you believe that distillates from Guatemala|Nicaragua|Salvador lack interest to Alphabet? Or any other Corp or State Harvesters?
actually not, if a phone is ‘low-end’ in USA, it will be low-end everywhere… for it to be ‘medium range’ elsewhere it would imply there would exist devices with even lower specs, which is not likely.
Is my speculation that if Governments could force every citizen a ‘smart-phone’… e-gov is in the way to achieve that
You’re right. Low Ends are at the end. But valuable distillates, anyway.
Your own government can have all this data directly from the service provider, with no need to install spyware.
And How me Gov know that my Guest Telcos are upholding our secret agreements?
[Beyond the classical blind tests, of course].
Not really,
A) Companies seem to send much of the over-stock they didn’t manage to sell in the USA/UE to the lower income countries.
B) In lower income countries you find a (proportionally) a larger market for mid and lower range hardware.
That means you are very likely to find what was “mid-range” in USA one or two ago and is now “low-range”, being sold as “mid-range” (heck, maybe even as high-end) in lower income countries.
UKB
And This Goes for Trumpians… Do you think that Central America Could Pay for the level of Oversight and Strength needed there -such an strategic isthmus? Leadership is not something you SELL. You need to start with Respect -and DIPLOMACY.
You don’t get what you pay for with cheap chinese stuff, because whatever you pay gives you nothing in return but grief and aggravation: Screwdrivers whose handles break the very first time you use them, jumper cables for your dead car battery smoke when you plug them in, USB cables whose terminals split, toys that ooze toxic chemicals, hoverboards that burn your house down, you know how it is.
But when firmware enters the picture, then it becomes even darker: I’ve had my share of cheap chinese electronics rendered useles by their awful, unmaintained, firmware: DivX players, TV recorders, action cameras, ebook readers… A mailwoman friend of mine tells me that the post office is drowned with people sending defective cheap chinese phones back to China, of course at their own expense.
Some companies like Huawei or Xiaomi make really great hardware, but they maim it with unmaintained firmware with a tacked-on layer of garbage that is a bad imitation of IOS but which they proudly market as their own Great Creation.
And then there is the hidden stuff: Lenovo laptops with a tricked BIOS which will reinstall garbageware if you ever dare remove it, or spyware in your cellphone, your computer or your router.
I’m done with this stuff. It is difficult to escape nowadays, but there are still alternatives from non-chinese brands that care more about quality. Even if more money needs to be payed, they end up being less expensive.
Such as? Even the so-called non-Chinese brands usually have at least one (usually many more) of their components made in China. So how do you avoid them?
darknexus,
Yea, even brands like apple who like to bride themselves as being a US company don’t like to admit they are made by the same manufacturers as lower cost competitors.
“Siri where were you manufactured?”
https://www.youtube.com/watch?v=x4ZBfaIB0GY
They don’t hide it very well. When I ordered a customized Macbook air last year, the UPS scan showed it leaving from Shen-Zhen. I was surprised they didn’t try to do a better job of hiding the origin of the machine.
The issue is the lack of QA and the bad firmware. Apple, Samsung, and other reputable brands assemble in China, and surely use many chinese components. But they do good work on their firmware and impose good Quality Assessment.
If cheap chinese stuff went through real QA and had good firmware, then it would not be cheap anymore, and may actually be inexpensive.
And you know they impose good QA… how, exactly? Particularly Samsung, which I assume is an ironic joke on your part.
You do realize that it’s not the ‘Mad in China’ bit that’s the issue, it’s the cheap bit that is. I’ve had just as many crappy items made here in the US or other countries overseas, and I’ve had quite a few things made in China that actually outlasted their American or European made counterparts.
Also, at least 70% of the electronics in the device you used to post your comment were made in China, Taiwan, or India (although it only has to list itself as being made in the country where the final assembly was done).
Lobotomik,
Unfortunately a decline in quality is apparent in US products as well since companies keep trying to cut costs. I think China would be willing & able to deliver higher quality if there were demand, but few are willing to pay more, and that’s what’s driving the market for cheap goods.
So cheaply made that nobody dares a try at repair.
Recently, I had to give permission to Microsoft Online Services Pre-Release Agreement for my hotmail account. I actually started to read it, but I stopped reading it because it bascially said that they were entitled to use the information they could extract from my hotmail account for whatever purpose they wanted to. If they cannot find the information they are looking for, they will buy it from other companies like Google if they are really interested in me.
They should pay you for your profile and browsing. The user should get a cut.
The user already got a cut… in the low price.
So it would seem that secretive data mining is not frowned upon much.
And as long as they are spying on citizens themselves it is not a problem!?
Anyone else see the ironic double standards?
We Cry at it. Then we carry our smart-phones to our private chambers and offices. We put those little cameras around and inside our houses and little business. We buy lights than can hear us, cars that can track us, commerce and health systems that can beam our status, etc. etc.
Yes. People aren’t people anymore. We’re merely datapoints/targets for those who rule over us. We’ve acquired vast knowledge in science and technology, and this is what we do with it. I don’t think we can imagine how much better the world could be if we were ever able to extinguish greed. We’d rather destroy the world and everything in it before letting that happen though.
Yes, but technology should not be used for spying on you by default.
Mostly, its greed, yes. Greed makes manufacturers hastily push out devices without proper testing, or even care to test in some cases. The attitude that simple devices do not require proper security leads to massive bot nets of small devices and more. Hacking and stealing of information and all that.
However, on the other hand, simply accepting that as a fact of life is not helping. A statement like “It is not clear whether this represents secretive data mining for advertising purposes or a Chinese government effort to collect intelligence.” implies that its okay for data mining to take place, and its okay for them to spy on you, as long as it is them not China is doing it.
And split that damn cellphones at their Multimedia|Computing|Comm|DRM Surfaces.