Amazon Suspends Sales of BLU Smartphones Over Security, Privacy Concerns
2.8.2017 securityweek Mobil
Amazon has suspended the sale of BLU Android smartphones after learning that there might be a potential security issue on select devices.
The giant online retailer has decided to make the BLU phones unavailable on its website despite their great popularity after Kryptowire security researchers revealed at the Black Hat conference last week that some devices gather a great deal of sensitive information and send it to servers in China.
“We recently learned of a potential security issue on select BLU phones, some of which are sold on Amazon.com. Because security and privacy of our customers is of the utmost importance, all BLU phone models have been made unavailable for purchase on Amazon.com until the issue is resolved,” an Amazon spokesperson told SecurityWeek via email.
The privacy issue initially surfaced in November 2016, when Kryptowire revealed that the firmware on some mobile phones sold in the United States via Amazon, BestBuy, and other online retailers included a backdoor and sent personally identifiable information (PII) to third-party servers without informing users. The BLU R1 HD smartphone emerged as one of the affected models.
The root of the cause was the commercial Firmware-Over-The-Air (FOTA) update software system managed by a company named Shanghai ADUPS Technology Co. Ltd. BLU revealed in November that it had raised concerns over the practice, determining ADUPS to disable the data collection functionality.
At the time, ADUPS confirmed its data collection practices and also provided an explanation on why it collects so much user and device information. The company also said that it didn’t share text messages, contacts, or phone logs with others and that it even deleted information received from BLU phones.
Data collection could target specific users
In their presentation at Black Hat last week, Kryptowire’s security researchers revealed not only that the pre‐installed system apps from ADUPS collect a great deal of user data, but that they also can be used for surveillance to “target specific users and text messages matching remotely-defined keywords.”
Fine-grained device location information is also siphoned, along with user and device information including the full content of text messages, phone call history, unique device identifiers including the International Mobile Subscriber Identity (IMSI), serial number, Media Access Control (MAC) address, and the International Mobile Equipment Identity (IMEI) number.
The researchers say that the firmware also collects information on the installed applications and the order in which the user uses their applications, that it can bypass the Android permission model, execute remote commands with escalated privileges, and remotely reprogram the devices, in addition to allowing for the remote installation of applications without users’ consent.
“The user and device information was collected automatically and transmitted periodically without the users' consent or knowledge. Some of the collected information was encrypted and then transmitted over secure web protocols to a server located in Shanghai. This software and behavior bypasses the detection of mobile anti-virus tools because they assume that software that ships with the device is not malware and thus, it is white-listed,” the researchers revealed.
Refined data collection
During their Black Hat presentation, the Kryptowire researchers revealed that affected BLU models include popular smartphones such as the BLU R1 HD and the BLU Life One X2. Other impacted devices include BLU Energy X Plus 2, BLU Neo XL, BLU Grand M, along with phones from other manufacturers, such as Cubot X16S, which continues to be available on Amazon.
The firmware on Cubot X16S was observed exfiltrating call logs, browser history, a list of installed apps, and unique device IDs. Furthermore, there is a command and control (C&C) channel allowing ADUPS to remotely execute commands as the system user.
On BLU Grand M, siphoned data included the list of installed applications, cell tower ID, used apps (with a timestamp), IMEI, IMSI, MAC address, serial number, and phone number.
Despite being caught red-handed, ADUPS hasn’t put an end to its data collection practice, but actually refined it. It only scaled back the data exfiltration on some devices, but kept the infrastructure for the PII exfiltration. With the C&C still alive and also active on certain devices, a firmware update could scale the data exfiltration back up, the researchers note in presentation slides shared with SecurityWeek.
They also reveal that the C&C channel would activate only after the device has been used for 20 days (not necessarily consecutive), but that the use of HTTP renders the channel open to ManintheMiddle (MitM) attacks.
The user and device information collected by the ADUPS apps is sent to the company’s servers, which Kryptowire traced to locations in China. According to the researchers, there are certain ADUPS URLs that could be blocked to prevent the exfiltration of PII: http(s)://*.plumad.com, http(s)://*.adsunflower.com, http(s)://*.adfuture.cn, http(s)://*.advmob.cn, http(s)://*.adups.com, and http(s)://*.adups.cn.
BLU denies any wrong doing
On Monday, BLU Products issued a public statement to respond to what it called “inaccuracies reported by several news outlets” by “making clear that there is absolutely no spyware or malware or secret software on BLU devices.”
While pointing out that it wasn’t aware of the ADUPS data collection when it came to light last year, the company also said that, when it became aware of the issue, in addition to asking ADUPS to turn off the functionality, “it decided to switch the Adups OTA application on future devices with Google's GOTA,” but that “some older devices still use ADUPS OTA.”
“The data that is currently being collected is standard for OTA functionally and basic informational reporting. This is in line with every other smartphone device manufacturer in the world. There is nothing out of the ordinary that is being collected, and certainly does not affect any user's privacy or security,” BLU Products says.
“BLU has several policies in place which takes customer privacy and security very seriously, and confirms that there has been no breach or issue of any kind with any of its devices,” the company also noted.
BLU also pointed out that its privacy policy does note that collected user data could be stored on servers outside the US: “BLU will retain any personal identifiable information (“PII”) that it collects through our software while you have an active BLU device. By using BLU devices, you are allowing your information associated with your device to be moved from your country of residence to the United States or any country where this data is stored.”
What BLU didn’t mention in the press release, however, was that the privacy policy was recently modified to state that the data might be stored on servers outside the United States.
The April 2017 and June 2017 versions of the policy stated: “BLU will retain any personal identifiable information (“PII”) that it collects through our software while you have an active BLU account and store it on servers located in the United States of America. By using BLU devices, you are allowing your information associated with your device to be moved from your country of residence to the United States.”
“We regularly review and make updates to privacy policy,” a BLU Products spokesperson told SecurityWeek via email, responding to an inquiry on the change.
The privacy policy also states that BLU shares PII with third parties “to fulfill obligations or services for BLU users,” and that “these companies have access to personal information needed to perform their services or functions, but may not use it for other purposes without the sole permission of the user.” This basically covers ADUPS’ November 2016 claim that it collects texts to better flag junk messages.
“We stand behind those findings” – Kryptowire
BLU’s representative also told SecurityWeek that the company’s phones pose no security risk, as they perform standard and basic data collection that all involved parties are aware of.
“Since Nov 2016 when the initial privacy concern was reported by Kryptowire, which BLU quickly remedied, Amazon has been aware of the ADUPS and other applications on our BLU devices which were deemed at the time by BLU, Amazon, and Kryptowire to pose no further security or privacy risk,” BLU’s spokesperson said.
“Now almost a year later, the devices are still behaving in the same exact way, with standard and basic data collection that pose no security or privacy risk. There has been absolutely no new behavior or change in any of our devices to trigger any concern. We expect Amazon to understand this, and quickly reinstate our devices for sale,” the representative concluded.
Kryptowire, however, disagrees with the claim, saying that their forensic evidence clearly shows that the data collection performed by the ADUPS software is a clear invasion of privacy.
At Black Hat, the security researchers revealed that ADUPS still provides firmware update services for BLU and that the Chinese company still collects a great deal of user and device information from the manufacturer’s devices, although it is less aggressive in doing so (the text messages and call logs are no longer exfiltrated).
“Kryptowire presented the technical details and forensic evidence of our findings at Black Hat, one of the largest security conferences in the world, in front of an audience of the world's foremost security experts. We stand behind those findings,” Tom Karygiannis, VP Product, Kryptowire, told SecurityWeek via email.