
Secret Backdoor in Some U.S. Phones Sent Data to China, Analysts Say - wrongc0ntinent
http://mobile.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html
======
mikegerwitz
You cannot have privacy and security without free/libre software. While such
doesn't doesn't guarantee privacy or security, operating systems that make an
effort to build the system entirely from source without any proprietary
components are much less likely to have a problem like this slip through the
cracks of a large, active development community.

Unfortunately, currently the only Android operating system to do this is
Replicant, which has terrible hardware support and---due to the sorry state of
affairs for mobile---lacks many features requiring proprietary drivers.
Cyanogenmod stops short, but would still make situations like this much more
difficult.

Even if you don't subscribe to the principles of software freedom, please
consider helping out the Replicant project if you know enough about the
operating system. I use a Replicant device (S3) and I'd love to see others
working to get version 6 out:

[http://blog.replicant.us/2016/08/replicant-6-early-work-
upst...](http://blog.replicant.us/2016/08/replicant-6-early-work-upstream-
work-and-f-droid-issue/)

We also need reproducible builds of the operating system and its software---
again, something that cannot be done without a fully free/libre OS.

Despite increased surveillance on such a vulnerable and enticing target, this
doesn't get enough emphasis.

~~~
the_duke
That's the old open source argument.

And while many things could most certainly be discovered by extensive, costly
audits, that someone has to pay for...

OS code bases are huge.

How difficult would it be to hide functionality like this in some obscure code
that's camouflaged as something else?

How hard would it be to automatically install an app that does this after
first boot, disguised as some self updating or analytics feature?

Not very, I think.

If someone puts an Android fork online, who has the time to go through the
changes to discover something like this?

Also, such features could even easily be placed on a tiny, dedicated chip
inside the phone, completely apart from the OS.

If you don't build the hardware yourself, component by component (assuming
that the components themselves are trustworthy), and audit every single LOC in
the OS, something can always slip by.

~~~
dandelion_lover
The source code is not the only condition for security. However it drastically
decreases the threshold for the audits. People can even make a crowdfunding
campaign and pay to professionals like it was done with TrueCrypt.

But even without such a campaign, evil developers would be in a constant
danger that someone may discover a backdoor. It is a very unstable situation:
just one person is enough to make a lot of noise, and everyone could be this
person. And yes, people do read the sources:

[https://www.fsf.org/blogs/community/who-actually-reads-
the-c...](https://www.fsf.org/blogs/community/who-actually-reads-the-code)

It's all about defense in depth:

[https://en.wikipedia.org/wiki/Defense_in_depth_%28computing%...](https://en.wikipedia.org/wiki/Defense_in_depth_%28computing%29)

------
codedokode
I have a chinese Android phone. Instead of connecting it to the Internet I
connected it to my computer over bluetooth and started monitoring the traffic
it tried to send. There were attempts to connect to Google servers and chinese
manufacturer's servers. The data sent to China was supposed to contain
sensitive information like phone number or SIM card identifier.

It also has an auto-update (read: backdoor) feature that cannot be disabled.

I ended up making a linux-based whitelist firewall to access the Internet but
it is pretty inconvinient because I have to manually enable every new host.
And I can use it only at home.

As a consumer I am very disappointed and feel being deceived by Google. I know
about "you are the product" saying but the smartphone is not free. I bought an
expensive (two hundred dollars!) device and I had to spend a lot of my time to
be able to control its activity. And of course the advertisement never
mentioned that a smartphone is going to spy on me.

We need a law against this.

~~~
paradite
Where did you buy that phone from and what brand was it?

I was under the impression that US does not allow selling of Android phones
from most Chinese brands due to the reasons you mentioned, and for those that
all allowed, they have strict vetting procedures to prevent phones with such
capabilities from reaching the US market?

~~~
codedokode
The manufacturer's name is Shenzhen Huafurui Technology if it tells you
anything. The brand name is Cubot. I do not live in US but one can buy such
kind of phone on Amazon (if you search manufacturer's name there you can find
it is even cheaper now).

It is good to hear that in some countries importing such phones is not
allowed.

~~~
paradite
Sorry to hear your experience. Next time you'd be better off buying from a
more established brand if you going to buy a phone of Chinese brand. Chances
are, if they are officially selling outside China, they would have met some
the requirements from the respective countries. I know Europe and US has
strict privacy laws and that's why you can't buy such phones through official
channels.

~~~
throthaway
Unless you've purchased phones from all the "more established" brands and
verified whether they're sending data, this is hardly sound advice.

"More established" brands have a history of leaving secret backdoors and
phoning home just the same as the Chinese devices.

One was discovered in a range of Samsung devices just a couple years ago.
Lenovo, same story, spyware and garbage hidden deep within their gadgets.

The only solution is to take a chance, buy a device, test it. If it's
backdoored, return it if you can, and call them out on HN/Amazon reviews, etc.

~~~
paradite
That seems rather pessimistic. If you really don't trust any brands, what's
wrong with directly buying from the tech companies instead of the
manufacturers? Like Google Nexus (Pixel), Microsoft Windows Phone and iPhone.
They are supposed to the industrial standards for how to do privacy correctly.

~~~
YUPampessimist
When a simple Google search reveals the exact pattern mentioned occurring
again and again, not just with phones but with networking gear, laptops, TV's,
IoT devices, CDs (Sony rootkit anyone?), and websites loaded to the max with
trackers and secret downloads onto people's machines, it moves from pessimism
to "this is just how it works."

The price of freedom is eternal vigilance. You want crap free gadgets, make
them sell crap free gadgets by ratting them out when they sell gadgets loaded
with crap.

~~~
paradite
I am okay with the skepticism you have here but is there really a reason to
create two throwaway accounts just to reply to me?

Do you happen to know me in real life? I can't think of another reason for
this.

~~~
a3n
No one should have to justify wanting to remain private/anonymous.

------
freddref
Elephant in the room is of course the amount of data that is sent to the u.s.
from phones in the rest of the world. Hardly a surprise that China is getting
in on the action too.

~~~
acqq
Exactly. When an address book is sent to every company that makes an app it's
business!

When the same is sent to China, it's outrage?

Ditto with auto-updates.

I'd be glad if I could control much more of my data exposure. But business.

------
makmanalp
Does anyone regularly audit devices and apps with something similar to a web
proxy, to see where they talk to during the course of normal usage? This seems
like a decent low-hanging fruit (well, relatively speaking).

I also remember there used to be application firewalls in windows that kept
track of the connections that each application made and if any of them
contacted a new server, they'd ask you for permission. I don't think most
folks used them because in the end they kept asking a lot of questions that
the users didn't necessarily know how to answer, but I wonder if it wasn't
such a bad idea after all, and whether the "default" choice could be mined
from other users' settings.

~~~
nommm-nommm
Yes, they do. You can use Fiddler or similar as a web proxy for mobile apps.
Stuff has been found like this - [https://www.troyhunt.com/controlling-
vehicle-features-of-nis...](https://www.troyhunt.com/controlling-vehicle-
features-of-nissan/) and I recall there's been several more but I can't recall
the details.

------
rectang
We can do better. Auditable open source and reproducible builds are security
and privacy differentiators. They make shenanigans like these more difficult
to pull off and easier to investigate.

~~~
77pt77
Hardware and firmware are still usually closed though.

~~~
noja
You need to start.

------
duked
H guys, I'm one of the researchers with kryptowire if you have any questions

~~~
Nrsolis
Hey duked. I just returned from Hong Kong (on vacation) and used two BLU
Advance 5.0 phones as burners for use while in-country. I take precautions
whenever I travel overseas.

I've got two phones here that were used during my trip there. I was wondering
if you had any tips for figuring out of they were compromised or otherwise
owned while I was out there.

~~~
duked
Hi, our findings are specific to the BLU R1HD. What you can do is have man in
the middle proxy for your device and look at the traffic. Funny enough we
actually bought the R1HD for the same reason as you... We had a conference in
Taiwan and wanted a burner and BLU looked awesome for the price ;)

~~~
Nrsolis
That was my thinking as well.

I do INFOSEC for a living and needed to make sure I wasn't bringing back any
compromised devices when I returned. So far, the two phones have remained
powered down while I come up with a plan to examine them.

It would be interesting to see if they are loaded with malware out of the box
or if there is something going on when they are used in country.

------
ff10
Slightly off topic: but doesn't backdoor mean that there's a particular party
that has control over the backdoored software? Here it sounds like the device
is calling home... or is that sufficient to be called backdoor?

~~~
sesqu
Yeah, backdoor usually means that the device accepts credentials from a third
party, and not sending them reports.

I suppose you could interpret this "backdoor" as third-party access to the
data, rather than to the device.

------
TACIXAT
I used to analyze mobile malware and the line of what was OK and what wasn't
really came down to how big the company was. If it was an unknown firm set up
as analytics / advertising, it was fine to block. If it was a mega analytics /
advertising it was not malware because it was a massive company.

------
lost_my_pwd
Funny how this follows right after this:
[https://www.theguardian.com/world/2016/nov/14/china-
threaten...](https://www.theguardian.com/world/2016/nov/14/china-threatens-to-
cut-sales-of-iphones-and-us-cars-if-naive-trump-pursues-trade-war)

------
akerro
>Security contractors recently discovered preinstalled software in some
Android phones that monitors where users go, whom they talk to and what they
write in text messages. The American authorities say it is not clear whether
this represents secretive data mining for advertising purposes or a Chinese
government effort to collect intelligence.

We can tell the same about Facebook, Google, Yahoo, Twitter, Uber, Microsoft,
Visa, AmericanExpress...

~~~
bluetwo
Consent. The big difference is consent.

~~~
QuantumRoar
Do not use the Internet. Do not use phones. Do not use bank accounts. Do not
travel by plane. Do not enter public spaces. Do not show your face.

Otherwise you accept our Terms of Service.

Thank you for trusting us.

(Is it just me or is it actually very hard to figure out whom I've given
consent to do something with something that is mine?)

~~~
wu-ikkyu
>(Is it just me or is it actually very hard to figure out whom I've given
consent to do something with something that is mine?)

Reading and understanding EULAs for every tool you use is a full time job that
requires a law degree.

------
freddref
If we don't really object to sharing our data with a wide range of u.s.
companies, why would we care if it is shared with China or anyone else also?

~~~
code_duck
Chinese companies are harder to monitor and learn about. More importantly,
they are not bound by and/or are unlikely to follow any data privacy laws.

~~~
jlgaddis
On the other hand, American companies don't seem to be bound by the laws that
we think they are either.

As example, I'll submit PRISM (while admitting that we're still not 100% clear
on that) and the retroactive immunity provided to telecom companies.

------
Tarrosion
Question for HN: I'm in the market for a new Android phone. If I want to avoid
this sort of thing, are there manufacturers I should steer clear of?

~~~
kogepathic
> I'm in the market for a new Android phone.

Find a phone which has a large community around it, and lots of custom ROMs
available. An official Cyanogenmod release is a good sign. It's also a sign
that your phone will have a longer usable life than whatever the manufacturer
promises you now.

Custom ROMs have a long history of extending the life of phones. For example
the HTC G1 was abandoned by Google at Donut (1.6) but unofficially received up
to Gingerbread (2.3). It's a bit of a perverse example, but hopefully enough
to make the point. Phones with good community support receive current versions
of Android long after both Google and the manufacturer have stopped giving a
shit.

To the people who say "you can't trust a random stranger on the internet
making a custom ROM to be any more secure than the manufacturer ROM" you're
right. If someone wanted to make a custom ROM with malware in it, there's a
pretty good chance it may not be noticed.

If your threat model includes a three letter agency, then don't use Android.
Full stop. The iPhone is the ecosystem you want.

I recommend to all my friends and family to buy phones with good community
support just to receive updates to ROMs like Cyanogen. The first thing I do
when they say they're considering "Phone XYZ" is to look on XDA Developers[0]
to gauge the level of community around the model. If it looks dead (e.g. look
up any tablet based on the NVidia Tegra for what not to buy [1]) then I
recommend they keep looking.

I've had really good luck with Chinese phones which are also sold in markets
like South East Asia and India. There are millions of users of these phones,
so the custom ROM community is quite strong. The hardware is also quite cheap,
I have a Xiaomi Redmi 2 I bought last year for $125 USD including shipping,
and it runs Android 7 thanks to community developers [2].

[0] [http://forum.xda-developers.com](http://forum.xda-developers.com)

[1] [http://forum.xda-developers.com/mi-pad](http://forum.xda-
developers.com/mi-pad)

[2] [http://forum.xda-developers.com/redmi-2](http://forum.xda-
developers.com/redmi-2)

~~~
nibs
I spent a day battling with getting a custom ROM on my Redmi 3 and gave up. In
case anyone reads this: Xioami make amazing phones for the price. This $120
USD phone outperforms my S3. But getting a custom ROM on a Xioami is getting
increasingly difficult - you have to ask for permission, jump through hoops to
unlock the phone and sometimes it just does not work. Xioami is the Apple of
China - great UI but increasingly closed ecosystem. Their OS is called MIUI,
which is basically Android with more customization options (necessary for the
markets they serve). It is a great phone and OS, but it is more complex than
just flashing CyanogenMod (unfortunately).

~~~
h4waii
This does not blanket apply to all Xiaomi devices. There are official builds
of CM available for the Mi3, Mi4, Redmi Note 3, and a fully open source
unofficial build for the Mi4C and Mi4S.

Unlocking their bootloader can be done officially through a request, or
unofficially. Changing the recovery by replacing a single file in the EDL and
retaining bootloader lock is also possible.

------
finid
This is why some users are going real paranoid. So somebody decided that their
first and only Android device will not have access to the Internet. Instead,
it's sole role is to function as a camera.

linuxbsdos.com/2016/11/05/the-samsung-android-tablet-that-will-never-access-
the-internet/

------
Animats
From the article: _" A Google official said the company had told Adups to
remove the surveillance ability from phones that run services like the Google
Play store."_

Google hates it when a program phones home to someplace other than Google.

------
est
> Ms. Lim said the software was intended to help the Chinese client identify
> junk text messages and calls. She did not identify the company that
> requested it and said she did not know how many phones were affected. She
> said phone companies, not Adups, were responsible for disclosing privacy
> policies to users. “Adups was just there to provide functionality that the
> phone distributor asked for,” she said.

This whole article is a lot less racist if this paragraph is put on top. You
know because every app made by some of the 1.3B people must be a government
effort to collect intelligence.

The app is bad because it does the function without consent, not because it's
made by Chinese.

------
agumonkey
If it's only sms then that's not that bad. Are the SoC setup in a way to make
crypto practically impossible on these ?

------
thogenhaven
Didnt we all knew this would happen eventually?

------
softwarelimits
Easy to avoid: just buy a phone that was built in your country.. oh, wait...

------
MrTrapy
Por isso uso pombo correio

------
abhianet
This can also be read outside the states as follows:

For about $50, you can get a smartphone with a high-definition display, fast
data service and, according to security contractors, a secret feature: a
backdoor that sends all your text messages to _the USA_ every _few seconds_.

Security contractors recently discovered preinstalled software in some Android
phones that monitors where users go, whom they talk to and what they write in
text messages. The authorities say it is not clear whether this represents
secretive data mining for advertising purposes or a government effort to
collect intelligence.

[EDIT: Fixed formatting]

~~~
mirimir
Well, actually, the US has backdoored the entire Internet :(

------
andrewvijay
Huawei routers used in Indian govt offices were found to be sending data to
China. They were banned after the discovery. Wont be surprised if cellular
components that are made in China send back data quietly.

~~~
dandelion_lover
People at HN would appreciate the corresponding links...

~~~
Cozumel
[https://intelligence.house.gov/sites/intelligence.house.gov/...](https://intelligence.house.gov/sites/intelligence.house.gov/files/documents/Huawei-
ZTE%20Investigative%20Report%20\(FINAL\).pdf)

~~~
andrewvijay
Yo thanks fam!

------
kutkloon7
What's the big deal? Google does this on a much bigger scale and of course
shares its data with the US government when asked. Why is it suddenly scary
when a Chinese company does the same?

~~~
bitmapbrother
That's cute. You make it sound as if Apple doesn't share your data with the US
government when asked. Oh, look what do we have here:

>In one of the leaked emails sent by Apple Environment, Policy and Social
Initiatives Vice President Lisa Jackson to Podesta, the Apple team clearly
stated that the current methods of encryption in place allows the firm to
essentially send an unlimited amount of personal and sensitive user data to
law enforcement.

>Jackson further emphasized that Apple already has a 24-hour live team
established for the sole purpose of handling law enforcement and government
requests. “Thousands of times every month, we give governments information
about Apple customers and devices, in response to warrants and other forms of
legal process,” Jackson stated. “We have a team that responds to those
requests 24 hours a day. Strong encryption does not eliminate Apple’s ability
to give law enforcement meta-data or any of a number of other very useful
categories of data.”

You have to love that 24 hour live team whose sole purpose is to provide
customer data to law enforcement and government people.

~~~
kutkloon7
That's not at all what I meant, but whatever.

------
mSparks
Pah, nothing to hide, nothing to fear, what's the big deal eh?

I do hope Eric Schmidt and Trent Lott have been using one of these
phones/devices.

~~~
raverbashing
And Zuckerberg

------
aluhut
I wish we could have disposable phones in Germany...

------
LyalinDotCom
This is just a Chinese hoax to scare us like that global warming bullshit....
right... am I right...??? .... /cry

