
Nokia phones sent identifiable data to Chinese server - henriklied
https://translate.google.com/translate?u=https://nrkbeta.no/2019/03/21/norske-telefoner-sendte-personopplysninger-til-kina/
======
milankragujevic
I knew of that 9 months ago, but nobody was interested so I dropped it.

[https://news.ycombinator.com/item?id=17329825](https://news.ycombinator.com/item?id=17329825)

~~~
gvand
I wonder how often this kind of comments fall through the cracks like this.
Happened to me too with something privacy related about one of the big Corps
that then was noticed by everyone else a few weeks later...

I agree with others, better open a "Tell HN" in this cases.

~~~
nuclx
Happens with a lot of posts, if they don't reach a critical mass of upvotes
early on. In this case probably nobody could verify, if the claims were
correct.

~~~
killjoywashere
Maybe we should add a new topline category, "threat reports"?

~~~
quickthrower2
This seems outside of HN remit, but definitely worth being a site of its own
with an RSS feed. I feel this should be curated not based on community voting.

~~~
killjoywashere
US-CERT is already a thing. But we all hang out here. I think this community
has a special collection of talents that could foster positive relationships
with the larger society.

------
phh
Please don't assume this is a one-time event, or that it is specific to this
brand or even to Chinese manufacturers. Nokia could actually be in the best
half on that aspect, just got unlucky.

Most of such info leaks are hidden. I've already witnessed several OEM
firmwares sending informations to many different parties. Too often, this is
done through http, with payload encrypted. But it's always symmetrical
encryption, and the encryption key can be computed from the fields in clear in
the request. Such techniques are enough to stay under the radar of classic
MITM, and require hard reverse engineering work to detect. I've noticed such
behaviours on major Chinese OEMs, and white-label brands.

I never did actual reverse engineering on more western-ish brands, but the
little I've seen doesn't look good. On Samsung Galaxy S9+ simply listing apps
that can install apps silently (which is the master of all permissions,
because this gives the right to give apps any permission), raises an
advertisement company in Israel and a Telco in Singapore.

If you're worried about this situation (I do), I recommend you start lobbying
about mandatory bootloader unlock, and easier OS replacement on smartphones.
In this area, Nokia is amongst the worse, since AFAIK they still haven't
authorized any bootloader unlock. Personally my work in this ecosystem is to
make the Phh-Treble ROM, which is most likely the Android ROM with the largest
hardware support (even though it requires the phone to be natively running
Android 8 at least), and it is opensource.

~~~
aloer
> On Samsung Galaxy S9+ simply listing apps that can install apps silently
> (which is the master of all permissions

Wait... what? Why is there such a permission in the first place?

~~~
krn
> Why is there such a permission in the first place?

Google Play and F-droid require it in order to update apps automatically.

Essentially, you give one app a permission to install other apps. Whether it
notifies you or not, it's up to the app.

------
v4n4d1s
This has to be fixed by HMD and I hope for an official investigation as most
other manufacturers are probably doing the same.

In the meantime, I recommend the following:

1\. Remove any unnecessary packages through ADB ([https://www.xda-
developers.com/uninstall-carrier-oem-bloatwa...](https://www.xda-
developers.com/uninstall-carrier-oem-bloatware-without-root-access/))

2\. Use Shelter
([https://f-droid.org/en/packages/net.typeblog.shelter/](https://f-droid.org/en/packages/net.typeblog.shelter/))

3\. Use a VPN-Firewall such as NetGuard
([https://f-droid.org/en/packages/eu.faircode.netguard/](https://f-droid.org/en/packages/eu.faircode.netguard/))
or NoRoot Firewall
([https://play.google.com/store/apps/details?id=app.greyshirts...](https://play.google.com/store/apps/details?id=app.greyshirts.firewall)).

~~~
codedokode
You suggest installing userspace apps to control system software that might
run in a privileged context. NoRoot Firewall, for example, doesn't control
iptables, it just pretends to be a VPN server and privileged software, I
assume, can bypass it.

~~~
v4n4d1s
Yes, I'm fully aware of this. There's also the problem of having a closed
source baseband processor in pretty much every device.

But bypassing these mechanisms is a decision they had to make. If they're just
lazy or incompetent, these userspace apps should be sufficient as a
mitigation.

Check this out for a more sophisticated way:
[https://privacyinternational.org/node/2732](https://privacyinternational.org/node/2732)

------
atzd4b
It's shameful of Google (but totally expected) that they don't supervise the
Android One program AT ALL. All of the Android One mobiles appear on the top
list of their Android One microsite and I'm sure most of them contain malware
built-in.

[https://www.android.com/one/](https://www.android.com/one/)

Having said this, I never expected Nokia to be doing that, too. Both Nokia and
HMD are Finnish, do they really need to outsource the creation of the ROM?!

~~~
usr1106
HMD is Finnish, but AFAIK they have zero own software development in Finland.
Not sure whether it is public knowledge where they buy the SW from. Of course
the Google part is known, but I assume the application reported here is not
from Google.

~~~
illuminati1911
Yeah. HMD is just license holding company with nothing but lots of managers as
employees. All of their software development is outsourced to Finnish and
foreign companies.

I know some of those people (in Finland) who worked in these outsourcing
companies, but they just worked on the more high level components like Android
apps etc. Not with bootloaders or OS images.

------
mattlondon
FWIW, I have a recently purchased Nokia 7.1 which is part of the Android One
scheme (running Android Pie). This was through a legit high-stret UK retailer
so not grey-import or anything.

I installed NoRoot Firewall as suggested in another comment here. So far
NoRoot Firewall has not detected any activity from anything unusual running in
the background (either idle, screen-on, or charging).

What _was_ weird though was that if I open the Nokia camera app, it tries to
talk to edge-star-shv-01-lhr-facebook.com, edge-star-mini-
shv-01-sof1.facebook.com & edge-star-shv-01-sof1.facebook.com. I believe this
is due to the facebook live-broadcasting feature built into the Nokia camera
app, although I have not got it logged in so not sure why it is phoning home
just when I open the app.

~~~
mattlondon
So 24 hours later and still nothing odd going on according to NoRoot Firewall
on a UK retail Nokia 7.1.

I'll keep running foir a few more days (I cant use my usual VPN at the same
time as NoRoot Firewall so dont want to run indefinitely) and udpate if
anything else happens.

------
chvid
Very nice of the Chinese military to choose a .cn domain so even the
Norwegians can see what is going on ...

~~~
chvid
It is obviously a bug / lazy programmer / broken project management. A phone
with most of it components bought from China and in one of the many
configurations just copied from the supplier's examples there was an URL which
was supposed to be changed but didn't.

In other words - a non-story or at most a story about quality issues at the
reborn Nokia.

But luckily the URL pointed to China ... so we can make the story about that
... with a big red communist flag, talk about mass surveilliance, human
rights, future invasions and so on ...

I don't really think this is because of racism; I mostly just think it is
because we are idiots that prefer big hyperboles rather than simple
explanations of non-issues.

~~~
nkozyra
Huh? It's more than just that; the Android build comes littered with software
from an unscrupulous source, even on phones that are supposed to be close to a
clean version of Android.

~~~
chvid
Why do you assume they (the presumely Chinese provider of the component) are
unscrupulous?

To me it is obvious that it is Nokia that is sloppy and having quality issues.

~~~
nkozyra
Why do you assume it's simply laziness? Regardless, it's not good.

~~~
chvid
Why is there a Chinese flag in the article and not a Finnish flag?

Because it gives more attention.

The real story here is that the venerable brand of Nokia now is being used to
sell sub-quality phones.

~~~
nkozyra
Because the service and server in question are in China? Look I understand
being skeptical of the narrative, but that's where the data was going.

Nokia isn't being shielded in the article.

------
blitzo
It is kind of ironic for me to think my perception of Android as same as
Windows as major malware distributor despite it is based on Linux. Android is
now fast becoming Windows XP of mobile.

~~~
nicolaslem
My Android phone came with a weather app preinstalled. The app cannot be
uninstalled, is full of translation errors and some links redirect to Chinese
websites. Who knows what data my phone constantly sends there?

Adding to that the fact that I don't receive system updates anymore, I have
absolutely no trust in my phone. My next phone will be an iPhone, for the lack
of better alternative.

~~~
eknkc
Yeah, I recently switched from iPhone to Samsung Galaxy S10.

I don't have a previous experience so my reasoning was "well it's Samsung, at
worst they'll have some shitty branded apps and some cruft". But I don't have
an idea what these dozens of preinstalled apps running on my phone doing.
Almost none of them can be uninstalled and only a handful can be disabled.

It is kind of scary to use a banking app on this thing. Never felt this way on
an iPhone. I wanted to see the Android side after years of iPhone use,
apparently it is still shit.

~~~
quickthrower2
This is exactly why I am back on iPhone. I have had enough of unremovable
shitware. I also value the simplicity of getting basic things done such as
Bluetooth pairing. Stuff seems easier. The only thing slightly worse on iPhone
is google 2fa, because it needs to use the gmail app.

~~~
arsenico
> google 2fa, because it needs to use the gmail app you mean the Google app,
> right? Not the GMail one.

~~~
apta
Not the original poster, but yes you're right

------
yorwba
I did some research on zzhc.vnet.cn and what its purpose might be. Zzhc is
probably an abbreviation of 自注册, meaning self-registration. There is plenty of
documentation (in Chinese) on how to implement it (e.g. [1]), but so far I
haven't been able to figure out what it's actually good for.

You can find implementations by Qualcomm and Mediatek on GitHub, the Mediatek
one even comes with a minimal README [2]. That seems to indicate that it's
gated by a feature flag "MTK_CT4GREG_APP" and is only supposed to be active
when explicitly selected while the phone is in developer mode. That makes it
likely that sending the data was only due to a misconfiguration.

Considering the long list of manufacturers starting at page 10 of [1], it's
also possible that others are leaking data in the same way.

[1]
[https://wenku.baidu.com/view/c2eaa9fc5022aaea998f0f7f.html](https://wenku.baidu.com/view/c2eaa9fc5022aaea998f0f7f.html)

[2] [https://github.com/griffins-testing-
ground/android_vendor_mt...](https://github.com/griffins-testing-
ground/android_vendor_mtk/tree/0edacb3eb0107237f68eabbab66293cdc8fb90a4/mediatek/proprietary/packages/apps/SelfRegister)

~~~
molinwow
More articles about "补贴", from same user,
[https://www.jianshu.com/u/3bff037f7a8b](https://www.jianshu.com/u/3bff037f7a8b)
.

I assume the android implementation was done in China, then many requirements
are related with "补贴", it is just part of them to submit some data to
zzhc.vnet.cn. But didn't get deleted when they are making EU variants.

~~~
yorwba
Thanks for the links. Actually, I had seen one of those articles before, but
didn't understand it well enough.

My understanding now is that some 4G deployments are subsidized, and to
correctly compute the amounts to be paid, China Telecom needs to collect more
data than is usually available, so they came up with the idea of sending the
data to zzhc.vnet.cn.

Still pretty hacky, but it kind of makes sense from a perspective of doing the
minimum necessary to fulfill the requirements.

------
HenryBemis
ALL Android phones users should go NOW and instal NoRoot Firewall. This will
catch anything running over the OS (but I feel it wouldn't catch any rootkit).
What information is missing in the article is "which app is leaking the data"?
On all rooted android phones you can advise on uninstall xyz and be done with
it. Then you can take screenshots and make a nice post in your blog.
Unfortunately I don't own a Nokia 7 to do this myself.

~~~
HenryBemis
Edit: just notice that autocorrect changed my: "adb pm uninstall XYZ"

------
deanclatworthy
This is pretty damning. The fact that HMD don't come clean and admit they were
required to load this software in order to sell to the Chinese market is a
little odd. Maybe the Chinese require companies not to admit the backdoors
they place.

------
ksec
I _think_ and assume part of the process, some Nokia Phones which were only
meant to sold in China, or Software that were only meant to be installed in
China's version of Nokia got muddled up into International version.

If you have been following the Nokia's Android phone, you will know they have
always been launching new phones in China first before making slight update or
shipping exactly the same one to International Market. So it could happen this
is part of the logistics and Supply Chain mistep. I am giving Nokia the
benefits of doubt here. Since HMD do have many original Nokia employees, it
could be an oversight.

------
0x0
So much for "Android One"....

------
RandomBacon
Shouldn't this be something that the NSA looks into and prevents?

The NSA works with US companies to secure their systems from espionage.

Shouldn't the NSA be analyzing consumer electronics to make sure they don't
spy on US citizens, some of which will have sensitive information or trade
secrets on their phones?

~~~
codedokode
It seems that some companies do not like to be "secured" by NSA, according to
the article [1]

[1] [https://www.wired.com/2013/10/nsa-hacked-yahoo-google-
cables...](https://www.wired.com/2013/10/nsa-hacked-yahoo-google-cables/)

~~~
RandomBacon
'Do as I say, not as I do'?

Aren't those companies tryig to get all the information they can about us?

Perhaps they don't want to be "secured" because it costs money to do so.

------
188201
One more reason to get a Purism phone I guess...

------
reacharavindh
If it was the Chinese who were trying to spy, it'd be pretty dumb to use a .cn
URL isn't it?

Seems to support the US paranoia about Chinese gear and if proven as known
evil, doesn't help huawei's 5g aspirations...

~~~
deanclatworthy
The Chinese don't have to be covert about their tracking activities. It's part
of their society, and everyone (at least outside of China) is aware of it, and
nobody _inside_ of China is allowed to talk about it.

~~~
culturestate
People inside China are very aware of it; most just don't care that much. They
(willingly, if not happily) trade what westerners might consider pillars of
freedom for widespread prosperity.

When you consider the progress China has made over the last 50 years from the
perspective of a typical Chinese citizen, you can see why they make that
bargain.

~~~
mda
I hear this often, but it kinda implies they prospered because they had this
obnoxious rules, i fail to see if this is actually true. Wouldn't they still
be better without this tyranical bullshit?

~~~
oblio
They would, but that requires a fight against a party apparatus of 1+ million
people, that controls the police, secret services and the army. And that in
1989 did what it did in Tiananmen and wouldn't be afraid to do it again, I'm
pretty sure.

So success would be far from guaranteed.

If I'd be Chinese I'd probably do the same trade they did.

After prosperity, keeping the lid on as hard as it is now is much, much
harder. And if changes don't come easily and naturally, I guess you can
emigrate.

~~~
mtgx
So then maybe they aren't so "happy" to make the trade, but afraid for their
status and lives if they don't obey?

~~~
oblio
Happy, probably not. Content? Most likely.

And what makes most people happy is having a rich personal life, rather than
achieving their political goals, I've found.

~~~
acct1771
Bread and circuses stave off revolution.

------
logicchains
Side note: I didn't notice the page was translated from another language until
after I finished reading it and noticed the title bar. Machine translation
between European languages has really come a long way.

~~~
Insanity
Oh wow me neither. Just one word (ombudsman) stood out to me, but I thought it
could exist in English. It does in my native language so I did understand it
:p

That's a nice translation!

~~~
gbrown
It does exist in English.

------
jgaa
It's a bug. The URL was corrected to mil.no/etjenesten in the software update
mentioned in the article.

~~~
gvand
If this is a joke, it's a nice joke.

Ah... the times we live in.

~~~
sumedh
What is the joke here?

~~~
aiCeivi9
Spying is ok, just data should end up in "Norwegian Intelligence Service" not
China.

------
LastZactionHero
Whoa! I had a cheap Nokia dumb phone a year ago that sent a daily SMS to a
number in China. Could never figure out what was in it, and support was no
help.

------
Markoff
"Nokia" phones, while it's really R&D and manufactured Foxconn phones sold by
reseller HMD which just slap Nokia sticker on them

~~~
kevin_thibedeau
To be fair. They are nicely made Foxconn phones.

------
paulcarroty
Guess Nokia devices are only the tip of iceberg. Apple works better:
[https://www.theverge.com/2018/9/7/17832106/apple-utility-
app...](https://www.theverge.com/2018/9/7/17832106/apple-utility-app-adware-
doctor-stolen-china-removed)

Personally for me Google is an opposite of privacy.

------
j16sdiz
This is related to com.qualcomm.qti.autoregistration.apk :

[https://android.stackexchange.com/questions/191883/](https://android.stackexchange.com/questions/191883/)

[https://github.com/bcyj/android_tools_leeco_msm8996/blob/mas...](https://github.com/bcyj/android_tools_leeco_msm8996/blob/master/qrdplus/ChinaTelecom/apps/AutoRegistration/src/com/qualcomm/qti/autoregistration/RegistrationTask.java)

[https://twitter.com/drwetter/status/1081267425637814273](https://twitter.com/drwetter/status/1081267425637814273)

------
happppy
Statement from HMD Global We have analyzed the case and can confirm that there
has been an error in the packing process of software in a single batch of a
telephone model, which by mistake attempted to send activation data to a
foreign server. The data was never processed and no personal information was
shared with third parties or authorities.

This has now been fixed and almost any device affected by this error has now
installed the update. HMD Global takes the safety and privacy of our customers
seriously.

~~~
jsnider3
If that's an official statement, it should probably come with a link to a
corresponding press release.

Random hacker news comments aren't the most trustworthy.

------
taurath
That’s some pretty bad QC on Nokia’s part. It’s not like it’s clever even with
some takeover of the lte chip, it’s just up there in your face running on the
application later.

------
userSumo
i just bought the 7 plus a few weeks ago, anyone has a tip on what could I do
now?

~~~
_ink_
If your are located in the EU file a DGSVO complained. In fact since HMD is
based in Finland you can do this probably anyway.

~~~
C14L
*GDPR. DSGVO is the German name.

------
pyman
I purchased a Xiaomi phone 4 years ago and some of the Xiaomi apps (cleaner,
antivirus, and link accounts) were sending personal info to China as well.
These suspicious apps were impossible to remove.

------
rrtwo
How can I check if my phone is emitting these packets?

~~~
cknight
Install NoRoot Firewall as HenryBemis mentioned, it's on the Play store. The
app tells you what IP addresses apps are trying to communicate with in a
fairly neat and simple way.

I've just installed it on my 6.1 Plus. Nothing sus yet but it's only been 5
minutes.

~~~
LoneWolf
I did install it too on my 6.1 and found the System app trying to connect to
several cloudfront IPs, cant find any kind of extra info, did you find the
same?

------
higfujk
We need surveillance more on people and they actions! It's shame that android
store let very suspicious apps uploaded!

------
C14L
If the GDPR is any good, this should cost HMD a lot of money.

------
codedokode
I think it is also worth investigating whether phones secretly send any data
to Western companies. Chinese authorities cannot do anything to you unless you
come to China, but USA authorities have the power to extradite people from
most countries. Sending data to US companies is much more dangerous than
sending them to China. This can literally get you into jail.

For example, many apps, especially messenger and social network apps secretly
or openly export contact lists from devices. Not only this is highly
unethical, it might be a violation under GDPR because the information in the
contact list is personal information and you must obtain the permission of
that person for transferring the data abroad, not only the permission of the
phone owner.

Almost every mobile app collects IMEI, a hardware identifier that allows
governments and mobile companies to track the precise location of your phone.
While such data are highly sensitive, they collect it without any second
thought. Even a simple keyboard app was collecting all the data it could grab
[2].

I can remember how Google was collecting WiFi data, without permission from
access point owners. It was also collecting the traffic sent over WiFi [1].

It seems like the companies in every country have similar interests for users'
data.

Also, I have a noname Chinese phone and when I examined its traffic with
Wireshark, it was attempting to send data with IMEI to Chinese servers
(luckily I had no SIM card inserted so it couldn't get a phone number). It was
sending data to Google servers as well, but sadly they were encrypted with SSL
and even installing a self-signed root certificate on the device didn't help
to decode the contents.

So I think there should be better regulation of data collection. The general
rule ("not a single byte" rule) should be that no data can be sent anywhere
without explicit user's consent (not a phrase somewhere in the EULA). Also I
think the manufacturers should put large warnings on the boxes, like the ones
on the cigarette packs, like "This device sends all your private data to
country X", "This IoT device will spy on you 24 hours a day", "This device
uses a cloud in country Y", etc. So that the consumers better know who will
spy on them.

[1] [https://www.wired.com/2012/05/google-wifi-fcc-
investigation/](https://www.wired.com/2012/05/google-wifi-fcc-investigation/)

[2] [https://www.zdnet.com/article/popular-virtual-keyboard-
leaks...](https://www.zdnet.com/article/popular-virtual-keyboard-
leaks-31-million-user-data/)

------
anilakar
Nokia is just a name on the phone. The trademark licensee is HMD Global while
engineering and manufacturing has been outsourced to Foxconn, a Chinese
company.

~~~
robjan
Foxconn is a Taiwanese company

Edit: I am not disputing the "One China Principle". The fact remains that
Taiwan is self-governed.

~~~
ElBarto
Which makes it a Chinese company, yes...

~~~
robjan
Regardless of border politics, Taiwan has its own government

~~~
est
regardless of government, taiwan is an island full of Chinese people, speaking
practice every aspect of (traditional-ish) Chinese.

~~~
robjan
People's race has nothing to do with their alignment with other governments.

------
ycombonator
Allegedly hacked entire OPM database, Marriot and other orgs. This allows them
to potentially blackmail key personnel they want to control. Imagine what they
can accomplish with the deployment of Huawei 5G.

~~~
camillomiller
This is bullshit. what's the connection? This is an Android based flaw. What
could Huawei 5G infrastructure do that couldn't yet be achieved through their
highly prevalent 4G infrastructure? Are we worried they're gonna spy us faster
and with lower latency?

