Free is Not Always Free
We don’t seem to remember history very well, so, I guess, we are doomed to repeat it.
Trojan Horse from Flickr under Creative Commons License by Playinto
A Chinese company, ADUPS, makes a technology that a number of phone manufacturers buy and use. It allows the manufacturer to update the firmware in a phone or IoT device over the air (meaning, I assume, over the cellular, WiFi or Bluetooth network, not literally over the air). This gives the manufacturer a lot of control over the device. This is really not different from what Sprint, AT&T and Verizon do, but HOPEFULLY, they have more self control.
In ADUPS case, their technology was integrated into inexpensive phones made by, at least, ZTE, Blu and Huawei and sold by Amazon and Best Buy, among others.
The phones sell for between $50 and $100 and, apparently, are quite nice. The stated reason that they sell for so little money is that the user agrees to accept onscreen advertising. But how, exactly, do they target that advertising?
Kryptowire bought and tore apart a Blu phone from Amazon and guess what they found?
The phone transmits the full text messages, contact lists, call history with phone numbers and phone ID (IMSI and IMEI depending). It can target specific users using remotely defined keywords. It also collected information on the applications installed and bypassed the Android permissions model and executed remote commands with system privileges. Finally, it had the ability to reprogram the devices.
Being security conscious, ADUPS encrypted the data – wait – before it transmitted it to several servers in Shanghai, China every 72 hours.
Kind of sounds like a Trojan horse, doesn’t it?
ADUPS claims to have over 700 million active users; they have offices in Shanghai, Shezhen, Beijing, Tokyo, New Delhi and Miami.
Kryptowire has a graphic in their article, captured below, that compares this to CarrierIQ – the spying software that US Carriers used a couple of years ago that raised such an uproar. While neither one was cheered by privacy advocates, this new one seems to be worse.
http://www.kryptowire.com/adups_security_analysis.html
As you can see, there are a lot of similarities but a few “improvements” such as remote firmware update.
ADUPS, on their web site, said they do this to screen out junk calls and texts. First, at least for me, those don’t seem to be a huge problem and second, if they were honestly doing this wouldn’t they tell the owner of the device and give them a way to see what they are doing? That excuse doesn’t hold much water.
ADUPS claims that after they were outed for doing what they were doing, they disabled (but not removed) the feature.
They also say that they take privacy seriously and didn’t disclose the text messages, contacts and phone logs to anyone before they were caught. That doesn’t mean that they aren’t and didn’t disclose other information, they just (maybe) didn’t have time to disclose this information before they were caught.
This is why security researchers are so critical. You or I don’t have the time or skill to tear apart a phone and figure out what people are doing. If some folks in Congress have their way, this type of research will be completely illegal.
So just remember, if someone offers you a free (or nearly free) Trojan horse OR phone, you do get what you pay for. And likely, something extra – also for free.
It will be interesting to see if this software shows up elsewhere in the U.S. Based on where their offices are located, their target market seems to be China, Japan, India and Latin America, where the loss of privacy is outweighed by the benefit of getting a high end phone.
Information for this post came from Brian Krebs, Kryptowire and from a statement by ADUPS.
by 