Last July, Amazon suspended sales of the ultra-cheap Android phones made by Blu after mobile security firm Kryptowire demonstrated how the phones were collecting data and sending it to servers in China without telling phone users… Still.
In 2016, Kryptowire first noticed that Blu phones were calling home to China, sending user data every 72 hours, all without users being informed or opting in.
As of July 2017, the data (still) included browser histories, call logs, text message metadata (phone number with timestamp), phone subscribers’ International Mobile Equipment Identity (IMEI) numbers, International Mobile Subscriber Identity (IMSI) numbers, Wi-Fi MAC Addresses, lists of installed applications, and lists of applications used with timestamps.
Well, Blu phones are now back on Amazon, still nice and cheap. They start at $39.99.
But now, there are repercussions, besides Kryptowire’s Black Hat 2017 presentation on the data extraction – and those repercussions could get a bit more painful than that $39.99 per handset if Blu doesn’t shape up.
Namely, the Federal Trade Commission (FTC) has come to a proposed settlement with Blu over the issue. At this stage, the proposed settlement doesn’t carry any fines. But if Blu were to violate the final FTC settlement order, the company could be looking at a civil penalty of up to $41,484 per incident.
Here’s the FTC’s complaint. In it, the commission alleges that Blu and its co-owner and president, Samuel Ohev-Zion, misled consumers, stating that third-party collection of data was limited to only that needed to perform requested services. The FTC alleges that Blu also falsely let on that it had implemented the physical, electronic, and managerial procedures that would protect consumers’ personal information.
Blu, based in Florida, contracted with the third-party firm ADUPS Technology (in 2016, the full name was Shanghai Adups Technology Co. Ltd.) to issue security and operating system updates to its devices. But ADUPS sent way more data than just that, just as Kryptowire had found: ADUPS sent the full content of people’s text messages, real-time location data, call and text message logs with full telephone numbers, contact lists, and lists of applications used and installed on Blu devices, according to the FTC complaint.
Besides shipping off all that personally identifiable information (PII), the ADUPS firmware could also:
- Identify specific users and text messages matching remotely defined keywords
- Bypass the Android permission model
- Execute remote commands with escalated (system) privileges
- Remotely reprogram devices
The collected information was getting multiple layers of encryption (albeit with a plaintext decryption key that Kryptowire analysts uncovered), then being sent to a server in Shanghai. None of this raised flags with mobile anti-virus tools, which presume that software pre-packaged on a device isn’t malware and hence give it the green light.
Back in 2016, nobody was quite sure if the data-mining was being done for ad-slinging or potentially for spying on behalf of the Chinese government.
ADUPS pointed to the ad-slinging explanation. It’s not a bug, according to a document it provided to Blu execs to explain the problem. Rather, it was a big mistake, ADUPS said. The document said that ADUPS intentionally designed the software to help a Chinese phone manufacturer monitor user behavior. That version of the software was never intended for American phones, ADUPS said.
The FTC complaint alleges that Blu and Ohev-Zion failed to put in security procedures to keep an eye on the security practices of the company’s service providers; failed to have written data security procedures regarding service providers; and failed to adequately assess the privacy and security risks of third-party software installed on Blu devices. Also, preinstalled ADUPS software contained “common security vulnerabilities that could enable attackers to gain full access to the devices,” the FTC alleged.
In November 2016, when the data-nabbing first came to light, Blu issued a statement about ADUPS having updated its software. Blu claimed that the service provider had stopped all that surprising data collection.
Wrong-o, the FTC alleges: Blu did, in fact, let ADUPS keep right on hoovering up the data on its older devices.
The proposed settlement prohibits Blu and Ohev-Zion from “misrepresenting the extent to which they protect the privacy and security of personal information” in the future. It also requires them to “implement and maintain a comprehensive security program that addresses security risks associated with new and existing mobile devices and protects consumer information.” For the next 20 years, Blu’s also looking at third-party assessments of its security program every two years. Its record-keeping and compliance will also be monitored.
The FTC has published the proposed consent agreement package on the Federal Register. It will be up for public comment until 30 May, after which the FTC will decide whether to finalize what is now a proposed consent order. You can submit comments electronically by following the instructions in the “Invitation To Comment” part of the “Supplementary Information” section.
Once the FTC has issued the final consent order, it carries the force of law with respect to future actions. Each violation could lead to a civil penalty of up to $41,484.