(by Allen St. John, Consumer Reports) – A serious…security vulnerability involving some Android smartphones came to light Tuesday.
Phones made by Blu, a U.S. company, were transmitting their owners’ personal data to a computer server in China. It’s not clear how the data was being used, though security experts say it could have been accessible by the Chinese government.
While the issue was discovered in phones sold by Blu, it could affect models from other manufacturers, and potentially millions of phones worldwide that all use software supplied by the same company, Shanghai Adups Technology Co.
The news story will evolve in the days ahead, but here’s what you need to know now if you have—or might have—an affected phone.
How was this problem uncovered?
…A researcher at a security firm called Kryptowire, located outside of Washington D.C, wanted an inexpensive work phone for an overseas trip, and purchased a Blu R1 HD. Without expecting to find a problem, he and his colleagues experimented with the phone, looking at what kind of data it was transmitting, and where that data was going.
The researchers soon realized that something was amiss.
“We thought a lot of data on the phone was being accessed,” says Azzedine Benameur, the company’s director of research.
They traced the data collection to firmware, a type of software central to the operation of the phone, that had been written by Adups, the Chinese company. The Adups website says it supplies firmware to phone makers that include Blu and two of the world’s biggest phone makers, ZTE and Huawei, which both sell phones in the United States. Those companies did not respond to a request for information.
What exactly does an affected Blu phone do?
The phone makes an encrypted copy of your text messages, including metadata such as the phone numbers you’re communicating with. Then, every 72 hours it uploads the data to a server in China.
[The researchers at] Kryptowire discovered that the firmware can be set to sift through text messages for specific phone numbers, names, or other key words, capturing and transmitting only that information. The researchers say their phone wasn’t picking out specific text messages when they examined it.
How can I tell if my phone is running this firmware?
Only phones running a version of the Android operating system are involved; that means iPhone users don’t have to be concerned.
Blu says that six of its models were affected—the R1 HD, the Energy X Plus 2, Studio Touch, Advance 4.0 L2, Neo XL, and Energy Diamond. These are all low-priced phones—the R1 HD, the phone used by Kryptowire, sells for just $50, while the Energy X Plus 2 costs about $100. But the company isn’t providing information such as a serial number or date of manufacture that could help consumers determine if their own phone has the problem firmware installed.
Consumer Reports contacted a number of other smartphone makers to see if their phones were affected.
Google, which makes the Android operating system, says that its Nexus and Pixel phones did not carry the Adups firmware, but that it couldn’t provide information on other Android phones. “Lots of Android activity is opaque to us,” a spokesman says. “As you know, Android is open-source and anyone can use it.”
Other phone makers that responded to our inquiry, including OnePlus, HTC, and LG, said they were still investigating to determine whether any of their phone models were affected.
According to Kryptowire researchers, there’s no way for most consumers to determine if the Adups firmware is running on their phone. The company’s investigation involved setting up a “man in the middle” attack to intercept data flowing off the phone before it was transmitted over the internet.
Okay, I have a problem phone. Now what?
Blu says it has already fixed the problem with an update to phones in the hands of consumers. However, the company has not responded to inquiries asking how consumers can confirm that the issue has been resolved on their phones.
Assuming the phones have been fixed, that won’t erase any personal data from Adups’ servers. Nor is it clear how the information might be used.
Dan Guido, CEO of the cybersecurity firm Trail of Bits, speculates that the some personal data could end up in government hands: “You might be in a rude awakening if you go through customs at a Chinese airport,” he says. “From the Chinese censors’ point of view, this is not a bug. It’s a feature.”
…Jason Hong, an associate professor of computer science at Carnegie Mellon [said he needed more information]: “There could be a lot of malicious things being done. On the other hand, we’ve also seen a lot of these advertising networks that just try to get as much information about you so that they can do better ads. So without more information, it’s really hard to say for sure.” …
Reprinted here for educational purposes only. May not be reproduced on other websites without permission from Consumer Reports. Visit the website at consumerreports.com.
1. a) What do each of the following companies do? Blu, Adups, Kryptowire
b) What concerning information came to light about Blu this week?
2. Why might the owners of phones purchased from other manufacturers besides Blu be affected?
3. How was the problem with Blu discovered? Be specific.
4. How does the server in China get an American phone users’ information?
5. Why does the reporter say iPhone users don't have to be concerned?
6. a) Google makes the Android operating system. What information did Google give about their phones?
b) How does Google explain their inability to provide information on other Android phones?
7. What information did phone makers OnePlus, HTC and LG give to Consumer Reports?
8. a) What reassurance has Blu given to customers?
b) What question did Blu not answer regarding customers’ phones?
9. The reporter notes that even if a customer’s phone has been fixed, Adups still has his data on their servers and also notes it is not clear how the information might be used. The reporter also quotes a computer science professor surmising that it could possibly be an advertising network. Knowing what you do about the Chinese government and Chinese companies, what is (would be) your reaction if you own a Blu phone (or other Android phone)? [If you do not know anything about the Chinese government and/or companies, ask a parent or a grandparent.]
More from the Consumer Reports article:
Should I avoid buying a new Blu phone?
Blu phones aren’t sold directly by the major phone carriers, but are instead available from retailers such as Amazon, which is where Kryptowire purchased its phone. Amazon has a 30-day return policy for phones, but says it will extend the policy in this situation.
An Amazon spokeswoman, Robin Handaly, told [Consumer Reports] that when the problem was discovered, “all impacted phone models were immediately made unavailable for purchase on Amazon.com,” though other Blu phones were still available. “Now that the issue has been resolved, we’re working to make these phones available to Amazon.com customers again.”