Amazon said it’s suspending sales of Android phones made by Blu following a presentation last week that said that three of the manufacturer’s models sent sensitive personal information to third parties in China.
Last week’s presentation at the Black Hat security conference in Las Vegas by security firm Kryptowire came eight months after the same company first warned about Android devices sold by Blu. That earlier report said the low-cost phones sent massive amounts of personal data about the phones and their users’ activities to servers that were owned by AdUps Technologies, a China-based firmware update provider.
The data sent to AdUps servers at the time included the full body of text messages, contact lists, call histories with full telephone numbers, unique device identifiers including the International Mobile Subscriber Identity and the International Mobile Equipment Identity. AdUps officials responded by saying the data collection was a mistake and was being curbed. At Black Hat, however, Kryptowire researcher Ryan Johnson said that three models of Blu phones continued to collect a more limited set of users’ personal information. Earlier this week, Amazon officials responded by saying that the online store will stop selling the manufacturer’s devices until the issues are fixed.
“We recently learned of a potential security issue on select BLU phones, some of which are sold on Amazon.com,” Amazon representatives wrote in a statement. “Because security and privacy of our customers is of the utmost importance, all BLU phone models have been made unavailable for purchase on Amazon.com until the issue is resolved.”
A quick search on Amazon as this post was being prepared, however, showed that the online store continued to sell some Blu phone models. It also showed that a separate model, the X16S made by a Blu competitor, Cubot, remained available for purchase despite Kryptowire’s warning that it, too, collected personal information. Amazon representatives didn’t respond to e-mails seeking clarification. The Amazon offerings didn’t include the three Blu models called out by Kryptowire.
Representatives from Blu, meanwhile, strongly disputed claims that any of its phones collect sensitive personal information.
“The data that is currently being collected is standard for [over-the-air update] functional[ity] and basic informational reporting,” Blu Marketing Director Carmen Gonzalez wrote in response to the Kryptowire presentation. “This is in line with every other smartphone device manufacturer in the world. There is nothing out of the ordinary that is being collected, and certainly does not affect any user’s privacy or security.”
“Surveillance typical in China”
Kryptowire said on Wednesday that it stands by its findings, and the company provided some of the technical information other researchers could use to confirm the data collection. The firm identified three phones made by Blu—the Grand M, Life One X2, and Advance 5.0. The first two send a variety of data—including cell tower ID and location, phone number, IMEI, IMSI, Wi-Fi MAC Address, device serial number, a list of installed applications, and a list of installed applications with timestamps—to a server in China. The Blu Advance 5.0 contained code-execution and logging capabilities that could be used by third-party apps, a vulnerability that has remained unfixed since late last year. A separate phone made by a different manufacturer—the Cubot X16S—sent a variety of personal data, including users’ browsing history, to China-based services. The X16S also had the capability to send text messages when instructed by the third-party server.
At least one mobile phone security expert not involved in the controversy agreed with Kryptowire that the Blu phones represented a serious threat to users’ privacy.
“By forgetting to remove this code on phones being sold to the US, Blu has exported the surveillance that is typical in China to buyers that are unaware elsewhere in the world,” Dan Guido, CEO of security firm Trail of Bits, told Ars. The data being surveilled includes all the most sensitive information that a person would produce with their phone. Amazon is fully justified in their decision, and I encourage them to crack down further on similar privacy issues with Android phones sold on their website.”
Kryptowire’s warnings are troubling for millions of owners of low-cost phones. To keep prices low, manufacturers of these devices often turn to discount providers of over-the-air updates. As a result, there are legitimate concerns about the safety of their data collection practices.
“These are all examples illustrative of the firmware security issues,” Kryptowire Vice President Tom Karygiannis told Ars. “Blu is getting beat up a bit, but a bigger issue is who else is doing it and how does anyone know?”