Kryptowire revealed more information about vulnerabilities present in smartphones made by Cubot and Blu. The security company explained what information is at risk, how that data is exfiltrated, and, in some cases, where the servers used to store this "private" info are located.
This report comes shortly after Amazon pulled Blu smartphones from its storefront. Amazon said in a statement to Tom's Hardware that it stopped selling the products because it "recently learned of a potential security issue" in some Blu devices. That revelation came courtesy of Kryptowire, which in November 2016 discovered several worrying items in budget smartphone firmware made by Adups, a Chinese company.
Blu told us that the devices in question "are still behaving in the same exact way, with standard and basic data collection that pose no security or privacy risk," and that "there has been absolutely no new behavior or change in any of our devices to trigger any concern." This report bears that out, but not in the way Blu might have wanted. Kryptowire said flaws in the Blu Advance 5.0 have been "unaddressed since late 2016."
Not that Blu is the only company mentioned in Kryptowire's report. The company said vulnerabilities in the Cubot X160S can also compromise:
Browser history, call log, text message metadata (phone number with timestamp), IMEI, IMSI, Wi-Fi MAC Address, list of installed applications, and the list of applications used with timestamps. [...] The application contains code that will exfiltrate the body and number of text messages if triggered by a network command. The network command is received from the following URL: https://bigdata.adups.com/fota5/msgInter.action
Flaws in the Blu Grand M and Life One X2 can also reveal "cell tower ID (location), phone number, IMEI, IMSI, Wi-Fi MAC Address, device serial number, list of installed applications, and the list of applications used with timestamps," Kryptowire said. You can find the full details--including what exfiltration apps are used on each device and where that information is stored--in the company's report on these serious vulnerabilities.
These flaws endanger the personal information of anyone who's purchased the Cubot X160S, Blu Advance 5.0, Grand M, or Life One X2. This episode highlights a problem with cybersecurity: Should it be limited to premium smartphones, or should all devices protect user data? And if it's limited to more expensive products, should consumers be told their data is at risk so they can make an informed decision while they're shopping?
You can check out Kryptowire's presentation from Black Hat 2017, where it first revealed the persistence of these vulnerabilities, here. The company explained its decision to share more technical information after its presentation in its new report:
After our initial findings about mobile device data transmission in November 2016, Kryptowire analyzed different mobile devices for Personally Identifiable Information (PII) collection and transmission to third parties. As part of this effort, we presented our findings in the briefings section of Black Hat 2017. We decided to provide more technical information to clarify press reports and to help others identify additional devices that might be affected. We stand by our findings because we have clear forensic evidence, both in terms of code and in terms of network traces, to support them.
Kryptowire advised people who own affected smartphones to check their manufacturer warranty or retailer's terms of purchase to find out how to respond. In the meantime, Amazon has decided to (at least temporarily) suspend sales of Blu devices. Other retailers, including Best Buy and Newegg, continue to sell the company's phones and have not responded to our requests for comment.