from Hacker News

Secret Backdoor in Some U.S. Phones Sent Data to China, Analysts Say

by wrongc0ntinent on 11/15/16, 11:29 AM with 167 comments

  • by mikegerwitz on 11/15/16, 1:51 PM

    You cannot have privacy and security without free/libre software. While such doesn't doesn't guarantee privacy or security, operating systems that make an effort to build the system entirely from source without any proprietary components are much less likely to have a problem like this slip through the cracks of a large, active development community.

    Unfortunately, currently the only Android operating system to do this is Replicant, which has terrible hardware support and---due to the sorry state of affairs for mobile---lacks many features requiring proprietary drivers. Cyanogenmod stops short, but would still make situations like this much more difficult.

    Even if you don't subscribe to the principles of software freedom, please consider helping out the Replicant project if you know enough about the operating system. I use a Replicant device (S3) and I'd love to see others working to get version 6 out:

    http://blog.replicant.us/2016/08/replicant-6-early-work-upst...

    We also need reproducible builds of the operating system and its software---again, something that cannot be done without a fully free/libre OS.

    Despite increased surveillance on such a vulnerable and enticing target, this doesn't get enough emphasis.

  • by codedokode on 11/15/16, 3:43 PM

    I have a chinese Android phone. Instead of connecting it to the Internet I connected it to my computer over bluetooth and started monitoring the traffic it tried to send. There were attempts to connect to Google servers and chinese manufacturer's servers. The data sent to China was supposed to contain sensitive information like phone number or SIM card identifier.

    It also has an auto-update (read: backdoor) feature that cannot be disabled.

    I ended up making a linux-based whitelist firewall to access the Internet but it is pretty inconvinient because I have to manually enable every new host. And I can use it only at home.

    As a consumer I am very disappointed and feel being deceived by Google. I know about "you are the product" saying but the smartphone is not free. I bought an expensive (two hundred dollars!) device and I had to spend a lot of my time to be able to control its activity. And of course the advertisement never mentioned that a smartphone is going to spy on me.

    We need a law against this.

  • by freddref on 11/15/16, 1:37 PM

    Elephant in the room is of course the amount of data that is sent to the u.s. from phones in the rest of the world. Hardly a surprise that China is getting in on the action too.
  • by makmanalp on 11/15/16, 1:27 PM

    Does anyone regularly audit devices and apps with something similar to a web proxy, to see where they talk to during the course of normal usage? This seems like a decent low-hanging fruit (well, relatively speaking).

    I also remember there used to be application firewalls in windows that kept track of the connections that each application made and if any of them contacted a new server, they'd ask you for permission. I don't think most folks used them because in the end they kept asking a lot of questions that the users didn't necessarily know how to answer, but I wonder if it wasn't such a bad idea after all, and whether the "default" choice could be mined from other users' settings.

  • by rectang on 11/15/16, 12:46 PM

    We can do better. Auditable open source and reproducible builds are security and privacy differentiators. They make shenanigans like these more difficult to pull off and easier to investigate.
  • by duked on 11/15/16, 1:20 PM

    H guys, I'm one of the researchers with kryptowire if you have any questions
  • by ff10 on 11/15/16, 12:41 PM

    Slightly off topic: but doesn't backdoor mean that there's a particular party that has control over the backdoored software? Here it sounds like the device is calling home... or is that sufficient to be called backdoor?
  • by TACIXAT on 11/15/16, 3:54 PM

    I used to analyze mobile malware and the line of what was OK and what wasn't really came down to how big the company was. If it was an unknown firm set up as analytics / advertising, it was fine to block. If it was a mega analytics / advertising it was not malware because it was a massive company.
  • by lost_my_pwd on 11/15/16, 12:47 PM

  • by akerro on 11/15/16, 1:41 PM

    >Security contractors recently discovered preinstalled software in some Android phones that monitors where users go, whom they talk to and what they write in text messages. The American authorities say it is not clear whether this represents secretive data mining for advertising purposes or a Chinese government effort to collect intelligence.

    We can tell the same about Facebook, Google, Yahoo, Twitter, Uber, Microsoft, Visa, AmericanExpress...

  • by freddref on 11/15/16, 1:56 PM

    If we don't really object to sharing our data with a wide range of u.s. companies, why would we care if it is shared with China or anyone else also?
  • by Tarrosion on 11/15/16, 12:26 PM

    Question for HN: I'm in the market for a new Android phone. If I want to avoid this sort of thing, are there manufacturers I should steer clear of?
  • by finid on 11/15/16, 3:20 PM

    This is why some users are going real paranoid. So somebody decided that their first and only Android device will not have access to the Internet. Instead, it's sole role is to function as a camera.

    linuxbsdos.com/2016/11/05/the-samsung-android-tablet-that-will-never-access-the-internet/

  • by Animats on 11/15/16, 7:20 PM

    From the article: "A Google official said the company had told Adups to remove the surveillance ability from phones that run services like the Google Play store."

    Google hates it when a program phones home to someplace other than Google.

  • by est on 11/16/16, 1:45 AM

    > Ms. Lim said the software was intended to help the Chinese client identify junk text messages and calls. She did not identify the company that requested it and said she did not know how many phones were affected. She said phone companies, not Adups, were responsible for disclosing privacy policies to users. “Adups was just there to provide functionality that the phone distributor asked for,” she said.

    This whole article is a lot less racist if this paragraph is put on top. You know because every app made by some of the 1.3B people must be a government effort to collect intelligence.

    The app is bad because it does the function without consent, not because it's made by Chinese.

  • by agumonkey on 11/15/16, 1:46 PM

    If it's only sms then that's not that bad. Are the SoC setup in a way to make crypto practically impossible on these ?
  • by thogenhaven on 11/15/16, 1:38 PM

    Didnt we all knew this would happen eventually?
  • by softwarelimits on 11/15/16, 1:54 PM

    Easy to avoid: just buy a phone that was built in your country.. oh, wait...
  • by MrTrapy on 11/15/16, 5:10 PM

    Por isso uso pombo correio
  • by abhianet on 11/15/16, 1:37 PM

    This can also be read outside the states as follows:

    For about $50, you can get a smartphone with a high-definition display, fast data service and, according to security contractors, a secret feature: a backdoor that sends all your text messages to the USA every few seconds.

    Security contractors recently discovered preinstalled software in some Android phones that monitors where users go, whom they talk to and what they write in text messages. The authorities say it is not clear whether this represents secretive data mining for advertising purposes or a government effort to collect intelligence.

    [EDIT: Fixed formatting]

  • by andrewvijay on 11/15/16, 1:07 PM

    Huawei routers used in Indian govt offices were found to be sending data to China. They were banned after the discovery. Wont be surprised if cellular components that are made in China send back data quietly.
  • by kutkloon7 on 11/15/16, 3:16 PM

    What's the big deal? Google does this on a much bigger scale and of course shares its data with the US government when asked. Why is it suddenly scary when a Chinese company does the same?
  • by mSparks on 11/15/16, 12:48 PM

    Pah, nothing to hide, nothing to fear, what's the big deal eh?

    I do hope Eric Schmidt and Trent Lott have been using one of these phones/devices.

  • by aluhut on 11/15/16, 1:23 PM

    I wish we could have disposable phones in Germany...
  • by LyalinDotCom on 11/15/16, 1:16 PM

    This is just a Chinese hoax to scare us like that global warming bullshit.... right... am I right...??? .... /cry