Linked by Thom Holwerda on Tue 15th Nov 2016 16:11 UTC
Android

For about $50, you can get a smartphone with a high-definition display, fast data service and, according to security contractors, a secret feature: a backdoor that sends all your text messages to China every 72 hours.

Security contractors recently discovered preinstalled software in some Android phones that monitors where users go, whom they talk to and what they write in text messages. The American authorities say it is not clear whether this represents secretive data mining for advertising purposes or a Chinese government effort to collect intelligence.

Through Chinese manufacturer BLU, some 120.000 BLU phones in the US were affected as well. According to BLU, the company immediately removed the offending software. The original purpose of the software was, supposedly, to aid in the detection of junk messages.

Order by: Score:
Wow
by darknexus on Tue 15th Nov 2016 16:21 UTC
darknexus
Member since:
2008-07-15

The original purpose of the software was, supposedly, to aid in the detection of junk messages.

An excuse worthy of the late President Eisenhower himself. Too bad I don't believe bullshit any better than Khrushchev did.

Reply Score: 2

In other news...
by ezraz on Tue 15th Nov 2016 17:11 UTC
ezraz
Member since:
2012-06-20

Security contractors recently discovered preinstalled software in some Android phones that monitors where users go, whom they talk to and what they write in text messages. The American authorities say it is not clear whether this represents secretive data mining for advertising purposes or a Chinese government effort to collect intelligence.

Reply Score: 2

RE: In other news...
by Thom_Holwerda on Tue 15th Nov 2016 17:18 UTC in reply to "In other news..."
Thom_Holwerda Member since:
2005-06-29

secretive data mining for advertising purposes


What's secretive about Google selling advertising spots based on your data?

Reply Score: 2

RE: In other news...
by Alfman on Tue 15th Nov 2016 17:32 UTC in reply to "In other news..."
Alfman Member since:
2011-01-28

ezraz,


Security contractors recently discovered preinstalled software in some Android phones that monitors where users go


The top of the article says "preinstalled software", but deeper in the article it says "At the heart of the issue is a special type of software, known as firmware". It sounds like the affected phones are going to need a firmware update.

Reply Score: 2

RE[2]: In other news...
by darknexus on Tue 15th Nov 2016 17:53 UTC in reply to "RE: In other news..."
darknexus Member since:
2008-07-15

It sounds like the affected phones are going to need a firmware update.

And if it's true that this is firmware, how do you know whether you've gotten the update or not? If it can secretly send your texts out, it can certainly update itself without ever telling anyone.

Reply Score: 2

RE[3]: In other news...
by Alfman on Tue 15th Nov 2016 18:55 UTC in reply to "RE[2]: In other news..."
Alfman Member since:
2011-01-28

darknexus,

And if it's true that this is firmware, how do you know whether you've gotten the update or not? If it can secretly send your texts out, it can certainly update itself without ever telling anyone.


The odds are it's not very sophisticated, but hopefully someone reverse engineers it to see what all it does.


You are right, this is a dilemma in general for anyone who's been compromised, how do you go about proving that it's clean afterwards? Any software/firmware scanner (ie antivirus products or even secure boot) can be tricked by loading it into a deceptive environment in control of the attacker.

On computers, I can clean-up malware with a known-clean boot CD, however I'm still assuming the firmware is clean. It probably is, but not necessarily.

The only way to absolutely prove the environment isn't tampered with is to have something outside of the environment to authenticate it, like TPM hardware:

https://en.wikipedia.org/wiki/Trusted_Platform_Module


ARM platforms offer trusted execution zones that might serve a similar purpose. But the issue here is that if the firmware is compromised, then so too may be the trust zone.

http://www.arm.com/products/security-on-arm/trustzone

Anything with firmware is theoretically at risk if an attacker had the opportunity to change it or if the manufacturer's authentic firmware already has an exploit/back door.

Reply Score: 2

RE[2]: In other news...
by ahferroin7 on Wed 16th Nov 2016 13:16 UTC in reply to "RE: In other news..."
ahferroin7 Member since:
2015-10-30

The issue is that the term 'firmware' gets really ambiguous when talking about phones or other tight embedded systems. Some people use it to refer to any pre-installed apps that you can't get rid of, some people use it to mean the OS itself, for others it's the microkernel running on the baseband processor, and still others stick to the more traditionally established meaning of microcode and similar data.

My guess would be that the phones need re-flashed, and that's it.

Reply Score: 1

Need more info
by Alfman on Tue 15th Nov 2016 17:24 UTC
Alfman
Member since:
2011-01-28

At the heart of the issue is a special type of software, known as firmware, that tells phones how to operate. Adups provides the code that lets companies remotely update their firmware, an important function that is largely unseen by users.
...
Samuel Ohev-Zion, the chief executive of the Florida-based BLU Products, said: “It was obviously something that we were not aware of. We moved very quickly to correct it.”


My phone says no update is available.

Ms. Lim said she did not know how customers could determine whether they were affected.


This isn't good, I have no idea if my model's firmware is affected or not.


Kryptowire took its findings to the United States government. It plans to make its report public as early as Tuesday.


Hopefully we hear from them soon.

Reply Score: 2

spelling
by yerverluvinunclebert on Tue 15th Nov 2016 20:53 UTC
yerverluvinunclebert
Member since:
2014-05-03

The word is 'affected' - not 'effected', ie. it was not put into effect, there was an affect upon it.

Edited 2016-11-15 20:54 UTC

Reply Score: 1

That sausage...
by dionicio on Tue 15th Nov 2016 21:55 UTC
dionicio
Member since:
2006-07-12

That sausage wasn't the House's ;)

Reply Score: 2

RE: That sausage...
by dionicio on Tue 15th Nov 2016 22:20 UTC in reply to "That sausage..."
dionicio Member since:
2006-07-12

Should We go full vegan?

Reply Score: 2

Comment by Licaon_Kter
by Licaon_Kter on Tue 15th Nov 2016 22:19 UTC
Licaon_Kter
Member since:
2010-03-19

So when Verizon and AT&T did it for NSA bypassing FISA and all that jazz...

Let me say that again, so Chinese manufacturers monitor terrorist phones for messages and contacts. yay fixed it there for you

Reply Score: 2

intelligence
by nicubunu on Wed 16th Nov 2016 06:46 UTC
nicubunu
Member since:
2014-01-08

I pretty much doubt it being "a Chinese government effort to collect intelligence" for a simple reason: people who buy the cheapest possible phones are very unlikely to circulate info useful for an intelligence agency. Such an attack would be better targetted at a different category of the buying public,

Reply Score: 2

RE: intelligence
by dionicio on Wed 16th Nov 2016 14:52 UTC in reply to "intelligence"
dionicio Member since:
2006-07-12

What are 'burner' phones at one Country, could be 'medium range' phones at another.

Do you believe that distillates from Guatemala|Nicaragua|Salvador lack interest to Alphabet? Or any other Corp or State Harvesters?

Reply Score: 2

RE[2]: intelligence
by nicubunu on Wed 16th Nov 2016 15:05 UTC in reply to "RE: intelligence"
nicubunu Member since:
2014-01-08

actually not, if a phone is 'low-end' in USA, it will be low-end everywhere... for it to be 'medium range' elsewhere it would imply there would exist devices with even lower specs, which is not likely.

Reply Score: 2

RE[3]: intelligence
by dionicio on Wed 16th Nov 2016 15:17 UTC in reply to "RE[2]: intelligence"
dionicio Member since:
2006-07-12

Is my speculation that if Governments could force every citizen a 'smart-phone'... e-gov is in the way to achieve that ;)

You're right. Low Ends are at the end. But valuable distillates, anyway.

Reply Score: 2

RE[4]: intelligence
by nicubunu on Wed 16th Nov 2016 15:28 UTC in reply to "RE[3]: intelligence"
nicubunu Member since:
2014-01-08

Your own government can have all this data directly from the service provider, with no need to install spyware.

Reply Score: 2

RE[5]: intelligence
by dionicio on Wed 16th Nov 2016 16:50 UTC in reply to "RE[4]: intelligence"
dionicio Member since:
2006-07-12

And How me Gov know that my Guest Telcos are upholding our secret agreements?

Reply Score: 2

RE[6]: intelligence
by dionicio on Wed 16th Nov 2016 16:53 UTC in reply to "RE[5]: intelligence"
dionicio Member since:
2006-07-12

[Beyond the classical blind tests, of course].

Reply Score: 2

RE[3]: intelligence
by UglyKidBill on Wed 16th Nov 2016 15:50 UTC in reply to "RE[2]: intelligence"
UglyKidBill Member since:
2005-07-27

actually not, if a phone is 'low-end' in USA, it will be low-end everywhere... for it to be 'medium range' elsewhere it would imply there would exist devices with even lower specs, which is not likely.


Not really,

A) Companies seem to send much of the over-stock they didn't manage to sell in the USA/UE to the lower income countries.

B) In lower income countries you find a (proportionally) a larger market for mid and lower range hardware.

That means you are very likely to find what was "mid-range" in USA one or two ago and is now "low-range", being sold as "mid-range" (heck, maybe even as high-end) in lower income countries.

UKB

Reply Score: 3

RE[2]: intelligence
by dionicio on Wed 16th Nov 2016 15:07 UTC in reply to "RE: intelligence"
dionicio Member since:
2006-07-12

And This Goes for Trumpians... Do you think that Central America Could Pay for the level of Oversight and Strength needed there -such an strategic isthmus? Leadership is not something you SELL. You need to start with Respect -and DIPLOMACY.

Reply Score: 2

Lobotomik
Member since:
2006-01-03

You don't get what you pay for with cheap chinese stuff, because whatever you pay gives you nothing in return but grief and aggravation: Screwdrivers whose handles break the very first time you use them, jumper cables for your dead car battery smoke when you plug them in, USB cables whose terminals split, toys that ooze toxic chemicals, hoverboards that burn your house down, you know how it is.

But when firmware enters the picture, then it becomes even darker: I've had my share of cheap chinese electronics rendered useles by their awful, unmaintained, firmware: DivX players, TV recorders, action cameras, ebook readers... A mailwoman friend of mine tells me that the post office is drowned with people sending defective cheap chinese phones back to China, of course at their own expense.

Some companies like Huawei or Xiaomi make really great hardware, but they maim it with unmaintained firmware with a tacked-on layer of garbage that is a bad imitation of IOS but which they proudly market as their own Great Creation.

And then there is the hidden stuff: Lenovo laptops with a tricked BIOS which will reinstall garbageware if you ever dare remove it, or spyware in your cellphone, your computer or your router.

I'm done with this stuff. It is difficult to escape nowadays, but there are still alternatives from non-chinese brands that care more about quality. Even if more money needs to be payed, they end up being less expensive.

Reply Score: 2

darknexus Member since:
2008-07-15

but there are still alternatives from non-chinese brands that care more about quality. Even if more money needs to be payed, they end up being less expensive.

Such as? Even the so-called non-Chinese brands usually have at least one (usually many more) of their components made in China. So how do you avoid them?

Reply Score: 3

Alfman Member since:
2011-01-28

darknexus,

Such as? Even the so-called non-Chinese brands usually have at least one (usually many more) of their components made in China. So how do you avoid them?


Yea, even brands like apple who like to bride themselves as being a US company don't like to admit they are made by the same manufacturers as lower cost competitors.

"Siri where were you manufactured?"
https://www.youtube.com/watch?v=x4ZBfaIB0GY

Reply Score: 3

darknexus Member since:
2008-07-15

Yea, even brands like apple who like to bride themselves as being a US company don't like to admit they are made by the same manufacturers as lower cost competitors.

They don't hide it very well. When I ordered a customized Macbook air last year, the UPS scan showed it leaving from Shen-Zhen. I was surprised they didn't try to do a better job of hiding the origin of the machine.

Reply Score: 2

Lobotomik Member since:
2006-01-03

The issue is the lack of QA and the bad firmware. Apple, Samsung, and other reputable brands assemble in China, and surely use many chinese components. But they do good work on their firmware and impose good Quality Assessment.

If cheap chinese stuff went through real QA and had good firmware, then it would not be cheap anymore, and may actually be inexpensive.

Reply Score: 2

darknexus Member since:
2008-07-15

And you know they impose good QA... how, exactly? Particularly Samsung, which I assume is an ironic joke on your part.

Reply Score: 2

ahferroin7 Member since:
2015-10-30

You do realize that it's not the 'Mad in China' bit that's the issue, it's the cheap bit that is. I've had just as many crappy items made here in the US or other countries overseas, and I've had quite a few things made in China that actually outlasted their American or European made counterparts.

Also, at least 70% of the electronics in the device you used to post your comment were made in China, Taiwan, or India (although it only has to list itself as being made in the country where the final assembly was done).

Reply Score: 2

Alfman Member since:
2011-01-28

Lobotomik,

I'm done with this stuff. It is difficult to escape nowadays, but there are still alternatives from non-chinese brands that care more about quality. Even if more money needs to be payed, they end up being less expensive.


Unfortunately a decline in quality is apparent in US products as well since companies keep trying to cut costs. I think China would be willing & able to deliver higher quality if there were demand, but few are willing to pay more, and that's what's driving the market for cheap goods.

Reply Score: 3

dionicio Member since:
2006-07-12

So cheaply made that nobody dares a try at repair.

Reply Score: 2

So?
by bigdog on Wed 16th Nov 2016 11:41 UTC
bigdog
Member since:
2011-07-06

Recently, I had to give permission to Microsoft Online Services Pre-Release Agreement for my hotmail account. I actually started to read it, but I stopped reading it because it bascially said that they were entitled to use the information they could extract from my hotmail account for whatever purpose they wanted to. If they cannot find the information they are looking for, they will buy it from other companies like Google if they are really interested in me.

Reply Score: 2

RE: So?
by ezraz on Wed 16th Nov 2016 13:34 UTC in reply to "So?"
ezraz Member since:
2012-06-20

They should pay you for your profile and browsing. The user should get a cut.

Reply Score: 2

RE[2]: So?
by Licaon_Kter on Sat 19th Nov 2016 13:47 UTC in reply to "RE: So?"
Licaon_Kter Member since:
2010-03-19

The user already got a cut... in the low price.

Reply Score: 1

Data mining?
by ecpeachy on Wed 16th Nov 2016 16:46 UTC
ecpeachy
Member since:
2010-06-07

So it would seem that secretive data mining is not frowned upon much.
And as long as they are spying on citizens themselves it is not a problem!?

Anyone else see the ironic double standards?

Reply Score: 2

RE: Data mining?
by dionicio on Wed 16th Nov 2016 17:27 UTC in reply to "Data mining?"
dionicio Member since:
2006-07-12

We Cry at it. Then we carry our smart-phones to our private chambers and offices. We put those little cameras around and inside our houses and little business. We buy lights than can hear us, cars that can track us, commerce and health systems that can beam our status, etc. etc.

Reply Score: 2

RE[2]: Data mining?
by ilovebeer on Wed 16th Nov 2016 18:46 UTC in reply to "RE: Data mining?"
ilovebeer Member since:
2011-08-08

Yes. People aren't people anymore. We're merely datapoints/targets for those who rule over us. We've acquired vast knowledge in science and technology, and this is what we do with it. I don't think we can imagine how much better the world could be if we were ever able to extinguish greed. We'd rather destroy the world and everything in it before letting that happen though.

Reply Score: 2

RE[2]: Data mining?
by ecpeachy on Wed 16th Nov 2016 20:25 UTC in reply to "RE: Data mining?"
ecpeachy Member since:
2010-06-07

Yes, but technology should not be used for spying on you by default.

Mostly, its greed, yes. Greed makes manufacturers hastily push out devices without proper testing, or even care to test in some cases. The attitude that simple devices do not require proper security leads to massive bot nets of small devices and more. Hacking and stealing of information and all that.

However, on the other hand, simply accepting that as a fact of life is not helping. A statement like "It is not clear whether this represents secretive data mining for advertising purposes or a Chinese government effort to collect intelligence." implies that its okay for data mining to take place, and its okay for them to spy on you, as long as it is them not China is doing it.

Reply Score: 1

We need to take an axe...
by dionicio on Wed 16th Nov 2016 21:08 UTC in reply to "RE[2]: Data mining?"
dionicio Member since:
2006-07-12

And split that damn cellphones at their Multimedia|Computing|Comm|DRM Surfaces.

Reply Score: 2