Nokia (HMD Global) has just been discovered for shipping spyware with their mobile phones. An investigation by Finland Data Protection Board is under way. Only, it had been discovered by myself 9 months ago. I even wrote about it on Hacker News, yet nobody was willing to even comment on it. Why is that?
The news, especially in Nordic countries, is buzzing about Nokia. Buzzing but not in a good way. Henrik Lied, a journalist at NRK (Norwegian Broadcasting Company), discovered and published today an article detailing the privacy invasions of spyware in Nokia phones. You can read the original article in Norwegian here: https://nrkbeta.no/2019/03/21/norske-telefoner-sendte-personopplysninger-til-kina/.
HMD Global is being investigated by the Finnish Data Protection Board for alleged gross mishandling of private and personally identifiable information.
HMD Global, of course, denies any intention and claims that they have pushed an OTA update to fix the problem on affected devices. However, whether that is true or if there was intention in their mishandling of data by sending it to servers in China, is left for the officials in Finland to find out.
I had known about the spyware in Nokia devices for 9 months already, that is since I first bought a Nokia 2 phone. I contacted Nokia over Twitter, but it fell on deaf ears. I posted online, no reaction, no response.
Nokia devices running Android are made by Foxconn, a Taiwanese company manufacturing hardware for almost all major smartphone makers, most notable being Apple. Of course, the phones all say “Made in China”, so, that doesn’t come as a surprise.
Nokia Devices are also part of Google’s Android One program, that claims to offer Android phones with stock software and user experience, from different manufacturers, and they promise updates for 2 years after the device is sold (well, designed and put onto market).
What many people don’t know is that Nokia or HMD Global don’t actually make the software for the phones they brand and sell. The software is made by Evenwell Digitech Inc. (www.evensoft.com.tw) (shortened to Evenwell), a Taiwanese programming firm that specializes in making firmware for embedded devices, including Android based devices such as phones, tablets, set top boxes, etc, and generic smartphone apps, games, and other kinds of software. At the time of writing their website has been taken down.
Evenwell supplies all OEM apps on the Nokia phones firmware, a list of what I found on my Nokia 2 can be found here: https://pastebin.com/5d5Kfqt1 (mirror here). Included in the list is the app
com.evenwell.autoregistration, and many others made by them.
The autoregistration app is interesting because it’s source code is available here: https://milankragujevic.com/uploads/AutoRegistration.java. Basically, Henrik discovered that it sends the following information to a server in China, specifically
zzhc.vnet.cn (over HTTP of course, no SSL in sight…):
image source: nrkbeta.no/Henrik Lied
As you can see in the image, it sends the IMEI of both SIM slots, the ID of the base station your device is connected (which instantly gives the 3rd party that receives the info an approximate (up to 500 meters) location of the device, your SIM card IMSI ID and ICC ID (which can identify you by the SIM card even if you change phones).
It is too early to say, but my hope is that HMD Global, if proven to have intentionally included the spyware, or if it’s proven that they have been aware of the spyware but did not take the necessary steps to remove it and notify users whose private information they sent over an insecure channel onto an insecure destination server in a country non-compliant with GDPR laws, is fined a proportionally large sum of their revenue, because the only way you can hurt a big company is by the wallet.
However, I’m frankly speechless at the lack of reaction this has (not)caused. Google is consistently called out for being our “big brother”, “the always watching eye”, etc., but this is even worse, because at least Google has a clear business model to sell you ads, while Chinese government can’t sell you ads, but can use your information in other, more nefarious ways. I don’t want to defend Google, I don’t like their practices of silent data collection and on-by-default telemetry, and constant tracking and data collection, but they are based in Ireland (for the EU market), and they must comply with GDPR. China doesn’t not, and most certainly will not.
This just goes to show how we, as a society, trade our personal liberties, our rights to privacy, and our personal life, to the corporations and governments, in exchange for convenient online services and cheap devices (subsidized by the sale of our private data).
If you own a device running Android 8.1 or newer, which has Treble enabled, you can unlock the bootloader and flash a Generic System Image that you yourself can compile and audit. My daily phone is a Motorola One with the whole system wiped and replaced with a AOSP (pure-from-Google, but without Google Services, so no Play Store, Maps, YouTube, etc.) image that I automatically build every month with the latest security patches.
I applaud efforts like Puri.sm’s Librem 5 phone, and attempts to run Android or other OS’ without any blobs or third party closed source firmware (like PostmarketOS). We need more open source and libre devices in our lives.
And last, though unrelates… Please, for the love of all, do not buy any IoT devices and connect them straight to the Internet. If you must have them, separate them on a VLAN or a different SSID with no Internet access.