This week we saw, possible evidence of, yet another form of the Chinese cyber espionage. Smartphones calling “home” to China with user data. This is every government’s worst counterintelligence and cyber security nightmare. We are warned, repeatedly about the threat of Chinese cyber espionage, especially those in the national security arena. For those in the private sector, having the data from a smartphone being surreptitiously sent to servers in China, should make every company’s information security team skin crawl, as they watch their intellectual property fly out the window.
What’s a backdoor?
A backdoor is a means by which user information is provided without the user’s knowledge via device, software or other technical capabilities to a third party.
Smartphones forwarding user information to China?
Users of Android smartphones from BLU Products may be surprised to learn that security firm Kryptowire uncovered a backdoor in the firmware installed on their phones by their “firmware over the air” service provider. A quick online check shows their phones available via Google, Best Buy, and other retailers. A deeper review shows that the company which handled the firmware updating, Shanghai ADUPS Technology Co., Ltd, has both ZTE and Huawei smartphones in their client list. Furthermore, ADUPS claims their service counts over 700 million active users.
What was compromised?
In this instance, per Kryptowire, the firmware provided the following to identified servers located in Shanghai, China.
- Actively transmitted user and device information
- The full-body of text messages,
- Contact lists,
- Call history with full telephone numbers,
- Unique device identifiers including the International Mobile Subscriber Identity (IMSI) and the International Mobile Equipment Identity (IMEI).
- The firmware could target specific users and text messages matching remotely defined keywords.
- The firmware also collected and transmitted information about the use of applications installed on the monitored device
- Firmware bypassed the Android permission model,
- Executed remote commands with escalated (system) privileges, and
- Remotely reprogram the devices
The real kicker is, because the backdoor is located within the firmware, the activity bypasses the anti-virus security protocols of the device as it is considered safe, white-listed. User’s didn’t stand a chance, their only defense, to upgrade the firmware to a “clean version” or junk the phone.
What does Adups Technologies have to say about their firmware?
Adups Technology has issued a statement, explaining, without explicitly using the words, “China cyber espionage,” that this version of firmware was designed for use in the local, China only market, and was mistakenly placed on smart devices in other markets. The statement continues that the data collected was deleted and the firmware updated on all devices to have this feature removed. In other words, a private company, providing services to their client company made a mistake.
Something to keep in mind should you be traveling to China or Hong Kong and wish to use a burner phone for your local telephone calls, this capability is likely to exist on any device you may purchase in China and therefore, your device may be easily compromised in a difficult to detect manner.
What should you do?
You have two options.
Carry-on: If you are using a BLU phone, and take Adups Tehcnology at their word, make sure your firmware has indeed been updated. The Adups Technology link above, provides an email address for contacting the company, who no doubt can identify which firmware version does not send your data to China.
Junk the device: If you are using a BLU phone, and don’t believe Adups Technology, short of taking your devices to a lab for confirmation (not something many would have the ability to do) there is little you as an individual user can do to confirm the backdoor in their provided firmware isn’t still there. Therefore, you may wish to junk the BLU phone or the phone from any other manufacturer which uses the Adups Technology services to update the smart devices.
Chinese company installed secret backdoor on hundreds of thousands of phones (ARS Technica, 15 November 2016)
Firmware Secretly Sent Text, Call Data On Android Users To China (Dark Reading, 15 November 2016)