Update, 8/1/17, 2:20pm PT: After this story was published, Blu responded to our request for comment with the following: "Since Nov 2016 when the initial privacy concern was reported by Kryptowire, which BLU quickly remedied, Amazon has been aware of the Adups and other applications on our BLU devices which were deemed at the time by BLU, Amazon, and Kryptowire to pose no further security or privacy risk. Now almost a year later, the devices are still behaving in the same exact way, with standard and basic data collection that pose no security or privacy risk. There has been absolutely no new behavior or change in any of our devices to trigger any concern. We expect Amazon to understand this, and quickly reinstate our devices for sale.”
Original article: 8/1/17, 11:15am PT:
Smartphones are expensive. Here in the U.S., shoppers are left with three options: pay hundreds of dollars out of pocket, enter a contract with a wireless network provider, or find something that can get the job done without breaking the bank. People who choose the last option might be unwittingly giving away their personal information, however, according to the Kryptowire security company.
And it seems Amazon won't put up with that. The online retailer has pulled devices made by Blu, a Florida-based company, from its virtual shelves. "We recently learned of a potential security issue on select BLU phones, some of which are sold on Amazon.com," a company spokesperson told Tom's Hardware. "Because security and privacy of our customers is of the utmost importance, all BLU phone models have been made unavailable for purchase on Amazon.com until the issue is resolved. For more information, customers should contact BLU Products customer service at 1-877-602-8762 or service@bluproducts.com."
You can still find Blu's phones at other retailers, including Best Buy and Newegg, but vanishing from Amazon's storefront could still be a devastating blow to the company.
Here's the issue. Kryptowire revealed in November 2016 that it discovered mobile firmware that "actively transmitted user and device information including the full-body of text messages, contact lists, call history with full telephone numbers, unique device identifiers including the International Mobile Subscriber Identity (IMSI) and the International Mobile Equipment Identity (IMEI)" in several Android smartphone models.
That was just the tip of the iceberg. Kryptowire explained:
The firmware could target specific users and text messages matching remotely defined keywords. The firmware also collected and transmitted information about the use of applications installed on the monitored device, bypassed the Android permission model, executed remote commands with escalated (system) privileges, and was able to remotely reprogram the devices. The firmware that shipped with the mobile devices and subsequent updates allowed for the remote installation of applications without the users' consent and, in some versions of the software, the transmission of fine-grained device location information.
At last week's Black Hat conference, Kryptowire revealed that the firmware was still present on some devices. This time, however, it collected data in a much less obvious way. This implies that the company behind this firmware, Adups, knowingly collected personal information without permission and attempted to hide this data collection from the manufacturers who use its firmware. Blu still uses the firmware in some phones--hence the removal from Amazon.
According to Blu, though, its customers have nothing to be worried about. The company published a statement to say that "there is absolutely no spyware or malware or secret software" on its phones and that "these are inaccurate and false reports." It also pointed out that it hired Kryptowire after the November 2016 report to keep an eye on the Adups' firmware's activities.
The data that is currently being collected is standard for OTA functionally and basic informational reporting. This is in line with every other smartphone device manufacturer in the world. There is nothing out of the ordinary that is being collected, and certainly does not affect any user's privacy or security. [...] Regarding that some information may be stored in China servers, their privacy policy clearly states that some of the data collected can be stored in servers outside the US, there is absolutely nothing wrong with having a server in China. BLU management takes issue with the statement that any server in China is prone to risk while several other multibillion dollar companies and other mobile manufactures such as Huawei and ZTE use them.
Blu put itself in some interesting company with that last bit. The U.S. has repeatedly questioned the security of Huawei devices specifically because they send information back to China, with the fear being that the Chinese government could access that information whenever it wished. Saying it's acceptable to store information in China-located servers because Chinese phone makers do the same thing is a stretch at best.
The company also doesn't appear to have been completely forthcoming in its statement. "In addition, as per Tom Karygiannis, VP of Kryptowire, the data collection is in line with BLU's Privacy Policy, and does not constitute any wrong doing by BLU." CNET reported that Karygiannis didn't authorize that statement, and when we contacted Kryptowire to learn more, he sent over the following response:
"Kryptowire presented the technical details and forensic evidence of our findings at Black Hat, one of the largest security conferences in the world, in front of an audience of the world's foremost security experts. We stand behind those findings."
We've reached out to Blu, Best Buy, and Newegg to learn more about the situation and to see if the retailers plan to follow Amazon's lead. We'll update this post if we receive a response.
