Secret Backdoor in Some US Phones Sent Data To China (nytimes.com) 111
Security contractors have warned that many Android smartphones ship with preinstalled software that has a backdoor that sends all your text messages to China every 72 hours. (Editor's note: the link could be paywalled; here's the press release.) The New York Times reported Tuesday that "the American authorities say it is not clear whether this represents secretive data mining for advertising purposes or a Chinese government effort to collect intelligence." From the report: International customers and users of disposable or prepaid phones are the people most affected by the software. But the scope is unclear. The Chinese company that wrote the software, Shanghai Adups Technology Company, says its code runs on more than 700 million phones, cars and other smart devices. One American phone manufacturer, BLU Products, said that 120,000 of its phones had been affected and that it had updated the software to eliminate the feature. Kryptowire, the security firm that discovered the vulnerability, said the Adups software transmitted the full contents of text messages, contact lists, call logs, location information and other data to a Chinese server. The code comes preinstalled on phones and the surveillance is not disclosed to users, said Tom Karygiannis, a vice president of Kryptowire, which is based in Fairfax, Va. "Even if you wanted to, you wouldn't have known about it," he said.
Ads or government collection (Score:5, Insightful)
Why not both?
Is there some magical thing that says if something is collecting for advertisement purposes it can't be shared with intelligence agencies?
Re: Ads or government collection (Score:1)
Right. We know from the Snowden leaks that US intelligence doesn't miss any opportunity to collect data. Why would China be any different?
Backdoors (Score:2)
Meanwhile, Public Backdoor in Many Chinese Phones Sent Data To US.
Re: (Score:3)
So many web devs adamantly support advertising as the way to make money and keep their jobs. So why not support government spying a a means to make money, they've already sold their souls to the advertisers so one more concession shouldn't be a big deal, right? After all government spying at least is not as intrusive as ads, the government actually makes it a point to not clutter up the web pages or interrupt you in the middle of a video, and takes a neutral stance in the war between Budweiser and Coors.
Re: (Score:1)
Oh no what an awful accident (Score:4, Funny)
No reason to be alarmed. Clearly this is just a testing and debugging feature introduced by some errant developer that's been accidentally left in the release build firmware. It will be patched and fixed and you can all go back to buying these phones in safety. No way the Chinese government would have deliberately done this.
Re: (Score:1)
With the Chinese government half a world away, I am way more worried about the US Govt. having my text messages than Chairman Mao.
Re: (Score:2)
Don't worry, they didn't mention Grindr messages in the article.
Re: (Score:2)
I'm not worried either considering Mao's been dead for forty years. Chairman Meow on the other hand....
Re: (Score:3)
I'm not worried either considering Mao's been dead for forty years.
History is repeating itself. Xi Jinping is purging his political opponents, mostly by accusing them of corruption, and promoting a personality cult. It will be interesting to see if he steps down at the end of his term in office, or whether he stays on "for the good of the nation".
Re: (Score:2)
Even if the data sent from the phone to the Chinese is encrypted, the phone has to have the key, so it's trivial for just anybody to intercept and read your messages. Including the US Govt. or low-key scammers.
Re: (Score:2)
Apparently you never heard of asymmetric encryption. [techtarget.com] So, no the phone doesn't need to have the key required to decrypt the data.
Re: (Score:2)
The story is about your phone sending your personal data to some 3rd party, not about your phone downloading stuff from some 3rd party. Who has to encrypt and who has to decrypt there?
The only way to "secure" that somehow is to have some unique (and unpredictable) secret token burned into each phone, and derive the encryption key from it. The IMEI or serial number won't cut it.
Re: (Score:2)
Or have the phone encrypt the data with the servers public key, so only the servers private key can decrypt it?
Re: (Score:1)
Re: (Score:1)
Another Day, Another Android Exploit (Score:2, Funny)
Re: Another Day, Another Android Exploit (Score:5, Insightful)
This has nothing to do with Android... it's not a bug. This is preinstalled malware on Chinese phones.
Stop drinking the koolaid.
Re: (Score:1)
Stop drinking the koolaid.
If you look at TheFakeTimCook's posting history, you'll conclude that he's actually serving the koolaid. His posts are nothing but a constant stream of pro-Apple/anti-[everything else] drivel.
Looks like he pulled the trigger on this one with an anti-android dig without fully thinking it through.
I am honored that the AC has so little to actually do in his life that he/she can devote the effort to launch an in-depth analysis of my Slashdot Posts.
Perhaps if this alleged human would favor us with a Login, we could return the favor, and do an in-depth analysis if his/her Posting history, eh?
Re: (Score:2)
It may be tedious but you can uninstall bloatware from your big-brand Windows PC. The *^&%$ preinstalled Android stuff can't because they compile it into the ROM.
It's called "root". (Adminstrator for Windows user (Score:3)
It's called root. You enable root, then choose from any of the many apps which mount the "rom" read-write and you check off which pre-installed apps you want to remove.
Always a good sign... (Score:5, Interesting)
Re:Always a good sign... (Score:4, Informative)
This isn't new. Has everyone already forgot about Carrier IQ?
Re:Always a good sign... (Score:5, Informative)
I think that Bill Hicks's [youtube.com] thoughts on the matter are still quite appropriate.
Re: (Score:2)
The feds have the disadvantage of being more likely to call down the jackboots on you; but unless particularly irrational their desire to spend money on further surveillance is usually outweighed by their desire to fund other projects once they are reasonably confident that the major threats are being watched.
It has really been terribly
Re: (Score:2)
the only real difference is that espionage tends to run at a loss, while advertising is economically self sustaining.
I'm not sure what calculation that would be. Advertising costs money, is paid for out of revenue, which is paid for by passing the cost to customers. Espionage costs money, is paid for out of government funds, which is paid by passing the cost to tax-payers.
willing to bet, or at least think about (Score:2)
"updated the software to eliminate the feature" (Score:5, Funny)
Re: (Score:1)
Like everything else, it's totally dependent on your point of view.
Japanese (Score:5, Funny)
I'm going to send texts saying I'm eating Japanese food on a more regular basis now.
Hey honey, look at this Japanese sweet and sour chicken I'm eating. I feel like going to the Japanese restaurant for General Tsao's chicken tonight.
- that oughta piss 'em off.
Re: (Score:1)
General Tsao's Chicken is Chinese.
Re: (Score:2)
General Tso's chicken is "chinese" food (Score:1)
General Tso's chicken is about as Chinese as KFC. It's loosely based on Hunan cuisine but it originated in America ( NYC [wikipedia.org]). A shame really, authentic Chinese food is awesome. If you're ever in NYC hit up Xi'an Famous Foods [xianfoods.com], the lamb cumin noodles are fantastic. If you have more time, head over to Flushing and dive into almost any of the shops there and learn what real Chinese food is (and a good deal of it is much, much spicer than what your local take out place serves). I moved to NYC from Texas and I'm
Re: (Score:2)
It's loosely based on Hunan cuisine
I initially read that as "Human" cuisine...as a picky eater, I can say that the meaning of the sentence as a whole didn't change substantially once I noticed my error.
Re: (Score:2)
Exactly. And in Japan, curry (which is insanely popular, apparently) is considered "western food". Neither assumption is correct. Food is a bit like language that way, in how it gets borrowed and adapted in ways that make purists cry... but no one else cares, and enjoys their food.
Re:General Tso's chicken is "chinese" food (Score:4, Funny)
Re: General Tso's chicken is "chinese" food (Score:1)
Re: (Score:2)
Re: (Score:2)
India is West of Japan
By Western, they do mean European. That's because the Japanese got curry from advisors from the British navy (who got it from India). Curry is a good way to prevent scurvy which the Japanese had a big issue with on their first naval trip to Hawaii and the Americas and spent month in port just recovering. So, they adopted British naval cuisine which was curry. Apparently, they still serve curry in the Japanese navy every Friday. They have done their own thing with it by adding flour to the sauce to make it t
Re: (Score:2)
in Japan, curry (which is insanely popular, apparently) is considered "western food". Neither assumption is correct.
Japanese curry is an import from the UK, not from India, which gives it its Western credentials.
Said curry is gaining popularity in the UK. For the uninitiated, in both places it's commonly sold under the name "katsu curry" which is a direct corruption of the English word "cuts" (katsu curry is served as sliced chicken with breadcrumbs in a mild curry sauce with white rice). This isn't an exhaustive definition, the curry can be sold with things other than sliced breaded chicken.
There are two slightly odd/am
Re: (Score:2)
Japanese curry is an import from the UK, not from India, which gives it its Western credentials.
That's like calling spaghetti an American dish because it was introduced to someone by an American. Anyhow, my point is that it doesn't really matter what we think, as Japanese will continue to consider curry "western", even though it's not, and Americans will continue to think fortune cookies are Chinese, which they aren't. Meh.
Disclaimer: I'm not a Japanophile. I've just watched a lot of anime.
Re: (Score:2)
Japanese curry is an import from the UK, not from India, which gives it its Western credentials.
I see a lot of "Vermont Curry." Until going through Japanese curry options, I had no idea that Vermont was such a curry hotspot and originator!
Re: (Score:2)
General Tso's chicken is about as Chinese as KFC.
Most Americanized Chinese food is terrible. Even if you go to an authentic family-run Chinese restaurant, they will often have a separate menu for non-Chinese, with extra starch, grease, salt, and sugar, since they assume that is what you want. You have to specifically ask for the "Chinese menu". Just say "Qing gei wo zhongwen caidan". Oh, and the menu will be in Chinese, so you will need to learn to read hanzi.
Re: (Score:2)
I ordered the poached whole frog once from the Chinese menu. I went back to sweet & sour chicken real fast!
Re: (Score:2)
Re:Japanese (Score:4, Funny)
No one in China knows what the hell General Tso's Chicken is.
It's four pay grades better than Colonel Sanders' chicken, that's what it is!
Re: (Score:2)
Re: (Score:2)
mega-uber-whoosh
Re: (Score:2)
Is your phone affected? (Score:5, Informative)
From the press release, the affected phones have the following services installed:
com.adups.fota.sysoper
com.adups.fota
I'd probably check your phone to ensure those don't exist. ... And it sends data to the following domains, if ya wanted to firewall or sniff it or whatever:
bigdata.adups.com (primary)
bigdata.adsunflower.com
bigdata.adfuture.cn
bigdata.advmob.cn
Re: (Score:1)
From the press release, the affected phones have the following services installed:
com.adups.fota.sysoper
com.adups.fota
I'd probably check your phone to ensure those don't exist. ... And it sends data to the following domains, if ya wanted to firewall or sniff it or whatever:
bigdata.adups.com (primary)
bigdata.adsunflower.com
bigdata.adfuture.cn
bigdata.advmob.cn
How about carpet bombing the servers you just listed? It would most likely bring down the core of the Chinese internet. We can teach the Chinese how to play "Ping" pong with a good concerted dos session I am sure. While were at it we could really throw a monkey wrench into the jerks in the states that wrote the crapware in the first place. Adware on commercial products is one thing but hiding it should be punished with an equal dose of poison. Hell even Microsoft does not try to hide adware in the system in
Re: (Score:2)
In Soviet America, Chinese chairman spies you! (Score:2)
In Soviet America, Chinese chairman spies you!
Thanks Google (Score:1, Insightful)
Re: (Score:2)
wrong, on the phone manufacturer who installed evil software. the OS is irrelevant, can be done with any OS
Subnet blocked for SSH abuse (Score:2)
Which subnet? (Score:1)
Re: (Score:2)
Re: (Score:2)
What I do not agree to is foreign governments or actors having that info. I install precious few apps, mainly because 90% of them are garbage, and otherwise to limit my exposure. That, and XPrivacy + ho
There! (Score:1)
It's not "theoretical" anymore, Mr. Comey
Android wins! (Score:1, Funny)
Whats the difference anyway (Score:1)