A serious, and potentially frightening, security vulnerability involving some Android smartphones came to light Tuesday.
Phones made by Blu, a U.S. company, were transmitting their owners' personal data to a computer server in China. It's not clear how the data was being used, though security experts say it could have been accessible by the Chinese government.
While the issue was discovered in phones sold by Blu, it could affect models from other manufacturers, and potentially millions of phones worldwide that all use software supplied by the same company, Shanghai Adups Technology Co.
The news story will evolve in the days ahead, but here's what you need to know now if you have—or might have—an affected phone.
How Was This Problem Uncovered? Essentially, a researcher at a security firm called Kryptowire, located outside of Washington D.C, wanted an inexpensive work phone for an overseas trip, and purchased a Blu R1 HD. Without expecting to find a problem, he and his colleagues experimented with the phone, looking at what kind of data it was transmitting, and where that data was going.
The researchers soon realized that something was amiss.
"We thought a lot of data on the phone was being accessed," says Azzedine Benameur, the company's director of research.
They traced the data collection to firmware, a type of software central to the operation of the phone, that had been written by Adups, the Chinese company. The Adups website says it supplies firmware to phone makers that include Blu and two of the world's biggest phone makers, ZTE and Huawei, which both sell phones in the United States. Those companies did not respond to a request for information.
The researchers say they shared their findings with Blu on Oct. 21, but initially didn't get a response. The researchers also disclosed the information to Amazon, a primary seller of Blu phones, on Oct. 26, and with Google, which makes the Android operating system, on Oct. 29. Kryptowire has since been in contact with Blu, according to Benameur.
What Exactly Does an Affected Blu Phone Do? The phone makes an encrypted record of several kinds of phone data, and every 72 hours it uploads the data to a server in China registered to Adups. The data includes text messages, phone call history, and details of how the phone was being used. For instance, Benameur says, "They can tell you launched Facebook for 10 minutes and then switched to Google Maps, and so on."
Kryptowire discovered that the firmware can be set to sift through the data for specific phone numbers, names, or other key words, capturing and transmitting only that information. The researchers say their phone wasn't picking out specific text messages when they examined it.
How Can I Tell If My Phone Is Running This Firmware? Only phones running a version of the Android operating system are involved; that means iPhone users don't have to be concerned.
Blu says that six of its models were affected—the R1 HD, the Energy X Plus 2, Studio Touch, Advance 4.0 L2, Neo XL, and Energy Diamond. These are all low-priced phones—the R1 HD, the phone used by Kryptowire, sells for just $50, while the Energy X Plus 2 costs about $100. But the company isn't providing information such as a serial number or date of manufacture that could help consumers determine if their own phone has the problem firmware installed.
Consumer Reports contacted a number of other smartphone makers to see if their phones were affected.
Google says that its Nexus and Pixel phones did not carry the Adups firmware, but that it couldn't provide information on other Android phones. "Lots of Android activity is opaque to us," a spokesman says. "As you know, Android is open-source and anyone can use it."
Other phone makers that responded to our inquiry, including OnePlus, HTC, and LG, said they were still investigating to determine whether any of their phone models were affected.
According to Kryptowire researchers, there's no way for most consumers to determine if the Adups firmware is running on their phone. The company's investigation involved setting up a "man in the middle" attack to intercept data flowing off the phone before it was transmitted over the internet.
Okay, I Have a Problem Phone. Now What? Blu says it has already fixed the problem. However, the details are unclear. Benameur says that Blu "contacted their supplier, Adups, who in turn turned off the data collection. As of today [Tuesday, Nov. 16] we do not observe data collection on the BLU R1 HD." However, Blu has not responded to inquiries asking more information, or how consumers can confirm that the issue has been resolved.
Read More
Assuming the phones have been fixed, that won't erase any personal data from Adups' servers. Nor is it clear how the information might be used.
Dan Guido, CEO of the cybersecurity firm Trail of Bits, speculates that the some personal data could end up in government hands: "You might be in a rude awakening if you go through customs at a Chinese airport," he says. "From the Chinese censors' point of view, this is not a bug. It's a feature."
Wherever the data ends up, some security researchers suggest that the Adups program likely started as an exercise in marketing.
"It does seem pretty egregious to collect this kind of information," says Jason Hong, an associate professor of computer science at Carnegie Mellon. "There could be a lot of malicious things being done. On the other hand, we've also seen a lot of these advertising networks that just try to get as much information about you so that they can do better ads. So without more information, it's really hard to say for sure."
Should I Avoid Buying a New Blu Phone? Blu phones aren't sold directly by the major phone carriers, but are instead available from retailers such as Amazon, which is where Kryptowire purchased its phone. Amazon has a 30-day return policy for phones, but says it will extend the policy in this situation.
An Amazon spokeswoman, Robin Handaly, told us that when the problem was discovered, "all impacted phone models were immediately made unavailable for purchase on Amazon.com," though other Blu phones were still available. "Now that the issue has been resolved, we're working to make these phones available to Amazon.com customers again."
What Phone Should I Buy? You can start by checking Consumer Reports ratings. (We tested the Blu Vivo 5, which is not listed among the affected models. It earned a respectable score for a budget phone, but missed CR's Recommended phone benchmark.)
Editor's Note: This article has been updated to reflect new information from Kryptowire on its research into this issue.
A serious, and potentially frightening, security vulnerability involving some Android smartphones came to light Tuesday.
Phones made by Blu, a U.S. company, were transmitting their owners' personal data to a computer server in China. It's not clear how the data was being used, though security experts say it could have been accessible by the Chinese government.
While the issue was discovered in phones sold by Blu, it could affect models from other manufacturers, and potentially millions of phones worldwide that all use software supplied by the same company, Shanghai Adups Technology Co.
The news story will evolve in the days ahead, but here's what you need to know now if you have—or might have—an affected phone.
How was this problem uncovered? Essentially, a researcher at a security firm called Kryptowire, located outside of Washington, D.C., wanted an inexpensive work phone for an overseas trip, and purchased a Blu R1 HD. Without expecting to find a problem, he and his colleagues experimented with the phone, looking at what kind of data it was transmitting, and where that data was going.
The researchers soon realized that something was amiss.
"We thought a lot of data on the phone was being accessed," says Azzedine Benameur, the company's director of research.
They traced the data collection to firmware, a type of software central to the operation of the phone, that had been written by Adups, the Chinese company. The Adups website says it supplies firmware to phone makers that include Blu and two of the world's biggest phone makers, ZTE and Huawei, which both sell phones in the United States. Those companies did not respond to a request for information.
The researchers say they shared their findings with Blu on Oct. 21, but initially didn't get a response. The researchers also disclosed the information to Amazon, a primary seller of Blu phones, on Oct. 26, and with Google, which makes the Android operating system, on Oct. 29. Kryptowire has since been in contact with Blu, according to Benameur.
What exactly does an affected Blu phone do? The phone makes an encrypted record of several kinds of phone data, and every 72 hours it uploads the data to a server in China registered to Adups in China. The data includes text messages, phone call history, and details of how the phone was being used. For instance, Benameur says, "They can tell you launched Facebook for 10 minutes and then switched to Google Maps, and so on."
Kryptowire discovered that the firmware can be set to sift through the data for specific phone numbers, names, or other key words, capturing and transmitting only that information. The researchers say their phone wasn't picking out specific text messages when they examined it.
How can I tell if my phone is running this firmware? Only phones running a version of the Android operating system are involved; that means iPhone users don't have to be concerned.
Blu says that six of its models were affected—the R1 HD, Energy X Plus 2, Studio Touch, Advance 4.0 L2, Neo XL, and Energy Diamond. These are all low-priced phones—the R1 HD, the phone used by Kryptowire, sells for just $50, while the Energy X Plus 2 costs about $100. But the company isn't providing information such as a serial number or date of manufacture that could help consumers determine if their own phone has the problem firmware installed.
Consumer Reports contacted a number of other smartphone makers to see if their phones were affected.
Google says that its Nexus and Pixel phones did not carry the Adups firmware, but that it couldn't provide information on other Android phones. "Lots of Android activity is opaque to us," a spokesman says. "As you know, Android is open-source and anyone can use it."
Other phone makers that responded to our inquiry, including OnePlus, HTC, and LG, said they were still investigating to determine whether any of their phone models were affected.
According to Kryptowire researchers, there's no way for most consumers to determine if the Adups firmware is running on their phone. The company's investigation involved setting up a "man in the middle" attack to intercept data flowing off the phone before it was transmitted over the internet.
Okay, I have a problem phone. Now what? Blu says it has already fixed the problem. However, the details are unclear. Benameur says that Blu "contacted their supplier, Adups, who in turn turned off the data collection. As of today [Tuesday, Nov. 16] we do not observe data collection on the BLU R1 HD." However, Blu has not responded to inquiries asking for details, or how consumers can confirm that the issue has been resolved.
Assuming the phones have been fixed, that won't erase any personal data from Adups' servers. Nor is it clear how the information might be used.
Dan Guido, CEO of the cybersecurity firm Trail of Bits, speculates that the some personal data could end up in government hands: "You might be in a rude awakening if you go through customs at a Chinese airport," he says. "From the Chinese censors' point of view, this is not a bug. It's a feature."
Wherever the data ends up, some security researchers suggest that the Adups program likely started as an exercise in marketing.
"It does seem pretty egregious to collect this kind of information," says Jason Hong, an associate professor of computer science at Carnegie Mellon. "There could be a lot of malicious things being done. On the other hand, we've also seen a lot of these advertising networks that just try to get as much information about you so that they can do better ads. So without more information, it's really hard to say for sure."
Should I avoid buying a new Blu phone? Blu phones aren't sold directly by the major phone carriers, but are instead available from retailers such as Amazon, which is where Kryptowire purchased its phone. Amazon has a 30-day return policy for phones, but says it will extend the policy in this situation.
An Amazon spokeswoman, Robin Handaly, told us that when the problem was discovered, "all impacted phone models were immediately made unavailable for purchase on Amazon.com," though other Blu phones were still available. "Now that the issue has been resolved, we're working to make these phones available to Amazon.com customers again."
What phone should I buy? You can start by checking Consumer Reports ratings. (We tested the Blu Vivo 5, which is not listed among the affected models. It earned a respectable score for a budget phone, but missed CR's Recommended phone benchmark.)
Update: This article has been updated to reflect new information from Kryptowire on its research into this issue.
More from Consumer Reports:Top pick tires for 2016Best used cars for $25,000 and less7 best mattresses for couples
Consumer Reports has no relationship with any advertisers on this website. Copyright © 2006-2016 Consumers Union of U.S.
Source:
What You Need to Know About the Phones Secretly Sending Data to China
He said numerous fleeing civilians fear revenge attacks, amid reports of arrests from people living in government-held areas. State TV said 3,000 people, half of them children, have fled over the past few hours.
She flew to the United States for surgery in 2011, but the party never provided more than cursory information about her condition. Gandhi also suffered from massive electrolyte imbalance and acute diarrhoea, fever and vomiting.
We are two leaders determined to make the most of the relationship between our countries . Mrs May said: "Our ties with Poland are rooted deeply in our shared history".
Three top-nine forwards have missed significant time: Jonathan Huberdeau (all 22 games), Nick Bjustad (19) and Jussi Jokinen (10). Tallon noted that expectations were higher this year because of last season's breakthrough.
The 31-year-old accused sections of the media of wanting to "write my obituary" following Saturday's draw with Arsenal. Jose Mourinho still believes Manchester United can win the Premier League despite their hard start to the season.
Park cannot be prosecuted while in office but she can be investigated, and charges could be laid against her once she steps down. Then, a constitutional court including justices appointed by Park would have to approve the impeachment.
This stance seems to have changed as Aldo told UFC that he will now be able to choose his opponents, including McGregor. We have yet to hear from Conor McGregor on the loss of his UFC featherweight belt but his coach is not one bit happy.
Dictionary.com's selection of " xenophobia " is far from the only indicator of our tumultuous year. Dictionary.com points out that it doesn't know why people were interested in the word xenophobia .
The ACCC's decision is the blow to major banks which are racing to compete with Apple in an increasingly cashless society. The ACCC is seeking feedback on its draft determination before making a final decision in March next year.
But Tiffany also warned it was "premature to say there has been a meaningful turn" in the beleaguered global luxury business. Same-store sales dipped 2 percent in the Americas due to a US consumer retreat, though Japanese tourists alleviated numbers.
Exelon will proceed with the closings if the bill is not passed soon. The nuclear power plants in IL do not create carbon emissions. Also, the bill extends the lives of the two nuclear plants.
Government forces have been fighting a renewed campaign in the last month to take the rebel-held east of Aleppo. An ISIS fighter reached by Reuters said there was "extreme, extreme, extreme pressure" on the insurgents there.
The four teams the Hornets will play in this upcoming stretch are all below.500 and five of the six games will be played at home. The Charlotte Hornets are averaging 105.8 points on 44 percent shooting and allowing 103.4 points on 43.9 percent shooting.
The Nittany Lions will force the committee to make a very hard decision with a win against Wisconsin in the Big Ten championship. The No. 2 Buckeyes (11-1, 8-1 Big Ten, No. 2 CFP) lost control of their destiny when they stumbled at Penn State on October 22.
Among mothers, 1,400 (0.7%) had contracted influenza, and 45,231 (23%) received the influenza vaccine during pregnancy. But the notion that vaccines cause autism continues to affect vaccination rates in Britain and the U.S.
ANDROID
While the company isn't quite ready to share a ton of details about the processors, we expect that this chip, like the Snapdragon 820 and 821 before it, to power a large number of flagship phones starting as early as the first half of 2017.
According to Qualcomm, a 5-minute charge using QC 4 should be able to supply your phone with enough juice to last a full 5 hours. Qualcomm also claims that Quick Charge 4 offers 20 percent faster charging and 30 percent better efficiency that Quick Charge 3.0, which is found on phones such as the HTC 10, LG G5 and Google Pixel. More importantly, Quick Charge 4 features full support for power delivery over USB.