Amazon (AMZN) has taught an electronics maker a powerful lesson about respecting consumers’ privacy, but it’s tough to say what the lesson is exactly.
Most users of computers of all kinds (from mobile devices up to gaming desktops) suspect that their machines might be doing things that their owners wouldn’t be crazy about if they knew, such as spying on them or futzing with the ads that display as they surf the web.
But how can consumers know? The misbehavior takes place deep down in the code, executed by software none of us can see and reporting on us in ways we couldn’t understand even if we could see the data as it copies itself to some stranger’s remote server. We have to simply trust that privacy policies tell the truth.
But security researchers are constantly scouting for sketchy behavior by devices and applications. Case in point, the inexpensive Android phones from Blu. In November 2016, enterprise mobile security company Kryptowire revealed findings that software on Blu phones violated user privacy without notifying them.
The company presented its findings at the Black Hat security conference last week. Blu phones come pre-loaded with software that manages firmware updates from a company called Adups. This software cannot be deleted without circumventing the operating system (colloquially known as “rooting”).
In its November report, Kryptowire wrote that it detected devices sending data about call history, text messages, the unique identifier of the mobile service subscriber, the device’s unique identifier and call histories. It also found evidence that the software specifically searched text messages for key words and sent full text messages back to Adups servers in China. These messages were encrypted, but Kryptowire was able to find the key and decrypt them.
Since the Kryptowire finding, Adups has reported that it is no longer collecting personally identifiable information, but Kryptowire told Black Hat attendees that it has continued to observe the same behavior, though more carefully hidden and not necessarily on Blu devices.
In a November statement, Adups explained the searching and parsing of users’ text messages by saying it had created an application to screen and block promotional messages. It wrote, “In response to user demand to screen out junk texts and calls from advertisers, our client asked Adups to provide a way to flag junk texts and calls for users. … [The] application flags texts containing certain language associated with junk texts and flags numbers associated with junk calls and not in a user’s contacts.”
Blu devices aren’t the only ones to carry the Adups software, and Kryptowire has noted that it behaves differently from device to device. Another maker of cheap Android phones, Cubot, also uses Adups software. “In May 2017 on the Cubot X16S device, we observed the user’s call log, text message metadata, browser history, list of installed apps, list of apps used and unique device identifiers being exfiltrated by Adups,” Kryptowire’s Tom Karygiannis wrote the Observer in an email.
On Wednesday, Kryptowire released additional technical details, describing tests from May on Blu Grand M, LifeOne X2 and Advance 5.0 devices.
Subsequent to the Black Hat presentation, Amazon has closed off sales for the complete line of Blu Android phones, as CNet previously reported. Cubot devices continue to be offered on the ecommerce site. Other devices likely use custom Adups software as well.
An Amazon spokesperson shared the following statement with the Observer: “We recently learned of a potential security issue on select Blu phones, some of which are sold on Amazon.com. Because security and privacy of our customers is of the utmost importance, all Blu phone models have been made unavailable for purchase on Amazon.com until the issue is resolved.”
Neither Adups nor Blu was immediately available to comment. In a statement from this past December, Adups wrote, “Adups has not shared the collected user data with any third party, including any government agencies or private parties.” The larger statement largely confirmed Kryptowire’s findings from the month prior.
“Adups does not believe consumer identity is at risk due to this incident. None of the collected data identified any particular user,” it wrote, though all it would take to connect any user to all of Adups data about them would be to discern his or her subscriber or device ID or for anyone who had texted with them to have used their name. De-anonymizing this dataset would be simple. As we’ve previously reported, almost any three data points are enough to identify just about anyone.
Amazon declined to further comment on its decision to discontinue sales of Blu phones. Specifically, on what measures Blu would need to take in order to resume sales on the dominant ecommerce site.
For example, did Amazon object to the collection of data itself or did it object to the failure by Blu to notify users of the data collection?
If notification is the issue, would it be sufficient for notification to occur on the device (which would necessarily occur subsequent to purchase) or would it need to be included in marketing materials so that consumers could decide before purchase?
So Amazon has definitely sent a message to hardware makers about privacy, but we don’t know what message exactly?
Still, an obtuse admonition is better than no admonition at all.
UPDATE: Added link to additional technical details released by Kryptowire the day after publication. Aug 2, 2017 1:25 PM.