November 16, 2016

A Chinese technology firm has been siphoning text messages and call records from cheap Android-based mobile smart phones and secretly sending the data to servers in China, researchers revealed this week. The revelations came the same day the White House and the U.S. Department of Homeland Security issued sweeping guidelines aimed at building security into Internet-connected devices, and just hours before a key congressional panel sought recommendations from industry in regulating basic security standards for so-called “Internet of Things” (IoT) devices.

At the center of the spyware controversy is software made by Shanghai ADUPS Technology, a Chinese firm whose product touts the ability to wirelessly update software installed on mobile and and IoT devices. The ADUPS technology is typically bundled with smart phones made by dozens of global wireless firms including ZTE, BLU and Huawei, and sold at popular consumer destinations like Amazon and BestBuy. Often retailing for between $50 and $100, the sleek and powerful devices sell so cheaply because they also require the user to accept on-screen advertisements.

An About Us page at ADUPS's Web site explains the company's foothold in the IoT market.

An About Us page at ADUPS’s Web site explains the company’s foothold in the IoT market.

According to research released this week, the low up-front cost of these smart phones may be subsidized not just by ads but by also by the theft of private information stolen from users. Researchers at Fairfax, Va.-based security firm Kryptowire say the ADUPS software gives the company near-total control over the devices that it runs on, and that they have proof ADUPS has abused that control to siphon personal data from countless consumers.

Kryptowire researchers say they stumbled upon ADUPS’s spyware capabilities by accident after purchasing a $59 BLU R1 HD smart phone from Amazon.com for use during international travel. Prying apart the phone and the ADUPS software, they discovered that all call records and text messages to and from the device were being digitally copied, encrypted and secretly forwarded to a server in Shanghai, China every 72 hours.

They also learned that ADUPS’s product was able to mine user text messages for specific strings of text, as well as install and remove any software from host devices.

“This behavior cannot be detected by mobile anti-virus tools because they assume that software that ships with the device is not malware and that it is white-listed,” Kryptowire wrote in an advisory published Tuesday. “We were able to capture, decrypt, and trace the data on the network as they were sent to multiple server locations that are located in Shanghai, China.”

In a statement posted to its Web site, ADUPS said it collects “model information, device status, application information, bin/xbin information and summary information from phones and messages,” and that it has done so “in response to user demand to screen out junk texts and calls from advertisers.”

ADUPS further claims that the functionality was added in June 2016 to some Blu Product Inc. devices, and that it has since shipped an update through its firmware updating software to disable the spying functionality on Blu phones.

But Azzedine Benameur, director of research at Kryptowire, said ADUPS’s software — deeply embedded alongside the operating system on these mobile devices — gives it full ability to re-enable the spyware capabilities at any time. He says ADUPS’s public response to their research raises more questions than it answers.

“They do not provide how many devices were affected and how the data were used,” Benameur said. “Also, they don’t mention who had access to that data, including third parties and the Chinese government. Also, there might be other [manufacturers] and device models affected that ADUPS does not mention.”

ADUPS claims on its Web site to have worldwide presence with more than 700 million active users, and that its firmware is integrated into “more than 400 leading mobile operators, semiconductor vendors and device manufacturers spanning from wearable and mobile devices to cars and televisions.”

“This is just one random device of theirs that we looked at,” Benameur said. “For a company that claims to provide over-the-air updates for 700 million devices, including cars and millions of IoT devices…this is really scary and unacceptable behavior.”

ADUPS's offer to business partners, January 2015.

ADUPS’s offer to business partners, circa January 2015.

ADUPS’s current site promises the company’s partners “big data analytics” and higher profit for partners. Earlier versions of the same page from 2015 and cached at the Internet Archive promise partners a slightly less euphemistic menu of services, from an “app push service,” and “device data mining” to “unique package checking” and “mobile advertising.” Interestingly, this story from January 2015 documents how ADUPS’s software has been used to install unwanted apps on customer mobile devices.

As for the Blu R1 HD phone? Benameur said it would be nice if it came with a disclosure that owners can expect zero privacy or control while using it. Aside from that? “At $59, it’s a steal,” Benameur said. “Minus the spyware, it’s a great phone.”

NEW IOT REGULATIONS?

The ADUPS scandal, first reported by The New York Times, comes as U.S. lawmakers are under increasing pressure to legislate basic software security standards for Internet-connected devices. Many low-cost IoT devices — from consumer routers to security cameras and digital video recorders (DVRs) — ship with little to no security built in. This has left millions of consumer devices ripe for exploitation by malicious hackers who enslave the devices in powerful cyber attacks designed to knock Web sites offline and otherwise disrupt Internet services.

Two of those attacks — an hours-long digital siege in October against Internet infrastructure provider Dyn, and a September attack that crippled KrebsOnSecurity for days — harnessed the computing power and network bandwidth of hundreds of thousands of Internet-based cameras and DVRs that were secured with the same default password and configured to be remotely controllable over the Web. A Chinese manufacturing firm whose electronics featured prominently in many of the IoT devices used in those attacks recently said it was issuing a recall for millions of the vulnerable devices — which were shipped with user credentials that were hard-coded into the devices and that could not be easily changed by users.

Both the attack on Dyn and against this site were referenced on multiple occasions today by lawmakers and witnesses to a U.S. House Energy & Commerce Committee hearing titled “Understanding the Role of Connected Devices in Recent Cyber Attacks.”

Bruce Schneier, a security expert who has long advocated holding software vendors legally liable for producing fundamentally flawed and/or insecure products, said the IoT attacks and this latest scandal with ADUPS are examples of a market failure that is crying out for government regulation.

“In many ways, the Dyn attack was benign,” Schneier said in his written testimony. “Some websites went offline for a while. No one was killed. No property was destroyed. But computers have permeated our lives. The Internet now affects the world in a direct physical manner. The Internet of Things is bringing computerization and connectivity to many tens of millions of devices worldwide. We are connecting cars, drones, medical devices, and home thermostats. What was once benign is now dangerous.”

Schneier encouraged lawmakers to think about commercial software and hardware that gets shipped with junk security as a form of pollution: But instead of pumping liquid toxic waste into thinly-lined man-made cesspools, many makers of low-end electronics are churning out default-insecure products that will likely remain in operation — and therefore a public nuisance — for many years to come.

“We’re asking consumers to shore up lousy products,” Schneier told the committee. “It shouldn’t be that there are default passwords. These devices are low profit margin, they’re made offshore. And the buyer and seller don’t care. I might own this DVR, you might own it. You don’t know if it’s secure or not. You can’t test it. And you fundamentally don’t care. You bought it for the features and the price.”

Rep. Anna Eshoo (D-Calif.) called attention to a bill she’s offered — the Promoting Good Cyber Hygiene Act of 2015 — that calls on government regulators to develop best practices aimed at boosting public and private sector network security. As noted above, the White House and the Department of Homeland Security both did just that on Tuesday, each issuing guidelines on cybersecurity for IoT devices.

“We need a good housekeeping seal of approval on this, and my bill called for NIST [the National Institute of Standards and Technology] to set the standards — not Congress — because we really don’t know anything about that, and when we miss the mark we miss it by a wide mile,” Eshoo said.

Indeed, some experts have advocated creating a sort of government-approved Underwriters Laboratories for cybersecurity that would perhaps imprint its seal of approval on certified IoT devices. But Schneier said most consumers are unlikely to be moved by “a sticker that says this device costs $20 more and is 30 percent less likely to annoy people you don’t know.”

Instead, he suggested Congress should create a new federal agency to regulate basic secure design standards for IoT devices. “A U.S.-only regulatory system will affect the products in the rest of the world because this is software,” Schneier said. “Companies will make one software and sell it everywhere. It makes no sense for anyone to come up with two versions of their software.”

Bruce Schneier, left, and Kevin Fu.

Bruce Schneier, left, and Kevin Fu.

Rep. Eshoo called the prospect of creating new bureaucracy in a Republican controlled Congress and White House an idea that was “dead in the water.”

“We have a continuing new, new majority and I don’t think they want to create a new agency,” Eshoo said. “They don’t like stuff like that. New agencies, new regulations, we’re dead in the water. But we can’t leave this issue dead in the water. Our country deserves better.”

If this Congress or the next is reluctant to mandate basic cybersecurity standards for IoT devices, they may soon find themselves forced to legislate in a hurry when people start dying because of IoT insecurity, Schneier said.

“The government is getting involved here regardless,” he said. “The risks are too great and stakes are too high, and nothing motivates government into action [more] than security and fear. In 2001, we had another small-government, no-regulation administration produce a new federal agency 44 days after the terrorist attacks. If something similar happens with the Internet of Things, we’re going to have a similar response. I see the choice here not between government involvement and no government involvement, but between smart government and stupid government. This is the world of dangerous things, and we regulate dangerous things.”

Emphasizing that point, Kevin Fu, chief executive at healthcare security provider Virta Laboratories, told the panel that healthcare and medical device community dodged a bullet on the Dyn attack.

“Hospitals survived not by design, but by luck. The adversary did not target healthcare. This time,” Fu said in his written testimony (PDF). “Dyn represents a single point of failure for resolving Internet names, but hospitals have other kinds of single points of failure. For instance, heating and ventilation now resembles IoT with unpatched computers controlling negative pressure in units with highly infectious diseases.”

Such attacks, he said, have very quickly moved from the theoretical to real life. Earlier this month, a denial-of-service attack like the one that knocked my site and Dyn offline was reportedly used to shut off environmental controls at two apartment buildings in Finland, temporarily leaving residents there without heat or hot water for several days. Also this month, a hospital in the United Kingdom was forced to cancel surgeries and divert trauma patients to nearby hospitals after a cyberattack shut down its internal systems.

Fu urged Congress to study the feasibility of standing up an independent, national embedded cybersecurity testing facility modeled after the automotive crash testing conducted by the National Transportation Safety Board (NTSB). Such a center, he posited, could serve as a security test-bed for everything from consumer IoT devices to far more sensitive medical equipment and embedded health and safety devices, more of which are being connected to the Internet each day.

“The Mayo Clinic reportedly spends roughly $300K per medical device to perform security assessment, and they have thousands of models of devices,” Fu explained. “It makes little economic sense to have individual hospitals testing the security of devices that ought to remain secure for all 6,000 hospitals in the USA. Cybersecurity ought to be a public good much like automobile safety. Imagine if every car dealer were individually responsible for crash testing automobiles: costs would skyrocket and the public would have little confidence. A facility for embedded cybersecurity at the scale of a hospital could provide testing to both government and industry, while allowing students to conduct innovative research during surplus time.”

Fu also suggested that the government could do a much better job working with industry partners to encourage more people to pursue careers in cybersecurity.

“There are tens of thousands of unfilled cybersecurity jobs in the USA,” Fu said. “Existing approaches aren’t insufficient to train a large enough work force to counter growing cybersecurity threats against IoT devices, our economy, and infrastructure.”

Whether or not Congress tries to improve IoT security, miscreants who leverage poor IoT security for criminal purposes will continue their search for additional systems that can be rented out in denial-of-service attacks or used in high-stakes digital shakedowns for money, said Dale Drew, chief security officer at Level 3 Communications.

“Bad actors are increasingly attracted to IoT devices since they can use those devices without being detected for long periods of time, they know most devices will not be monitored or updated, and they know there are no endpoint protection capabilities on IoT devices that can detect and remove the threats,” Drew said.  “Network operators, device manufacturers and users will need to remain vigilant to the security risks these devices present.”

Update, Nov. 20, 2:47 p.m. ET: ZTE issued the following statement. ““We confirm that no ZTE devices in the U.S. have ever had the Adups software cited in recent news reports installed on them, and will not.  ZTE always makes security and privacy a top priority for our customers. We will continue to ensure customer privacy and information remain protected.” ZTE has not responded to questions about whether ZTE devices outside the United States might have been affected.


54 thoughts on “Chinese IoT Firm Siphoned Text Messages, Call Records

  1. Jonathan E. Jaffe

    We may never know how many devices were actually infected. Would anyone be really surprised if it was all of them?

    Jonathan @nc3mobi

  2. Calvin Arkanon

    This story should be the number one lead story in every news room in America, but sadly it isn’t. The USA will only wake up after something truly terrible happens, and enough people die to make the Government care. I really hope I’m wrong, and we actually for once get our act together and do something now, instead of react to disaster later.

    1. Joseph Lalli

      In the absence of exemplary leadership, it is often the case, unfortunately, that problems do not get addressed until after a crisis has delivered destruction. However tragic, disheartening, and maddening this may be, it is accordant with human nature. Institutional inertia, complacency, and the raw profit motive often carry the day.

    2. Darron Wyke

      Problem is, not enough congresscritters or other politicians understand technology to really make an impact on this. They wave broad legislation that may partially help the issue but not do what needs to be done. They don’t bother talking to experts in any field.

      1. tracka

        “They don’t bother talking to experts in any field.”

        A significant problem with today’s society (at least in most of the “West”) is a distrust of “experts”.

        The unfortunate fact is that many experts are making money from their expertise (the ambition of us all) and consequently they are seen as “not independent” and therefore “tainted”.

        The corrosive effect of lobbyists (which in a healthy political world would never been the powerful “industry” that it is) is stoking this effect.

    3. Olu Sodipe

      Couldn’t have said it better. I guess the folks in government would rather respond to incidents than prevent the incidents from happening. America needs to keep four eyes (if not ten) on China and Russia’s manipulative schemes; else we will fall on our faces before them (Technologically speaking).

  3. elk horn

    Brian –

    I think that there’s a typo or two in the statement: “The Mayo Clinic reportedly spends roughly $300K per medical device to perform security assessment…”

    If not, I’ll do a security assessment for 10% of that amount on any device that they feel needs such an assessment.

    1. Drone

      @Elk Horn said: “I think that there’s a typo or two in the statement: ‘The Mayo Clinic reportedly spends roughly $300K per medical device to perform security assessment…’ If not, I’ll do a security assessment for 10% of that amount on any device that they feel needs such an assessment.”

      You need to take into account the cost of liability mitigation. Examples include duplication and verification of your analysis and assessment by an independent third-party laboratory, and the cost of malpractice insurance premiums over the life of the certification.

      1. Robert.Walter

        It occurs to me that the high cost of certification must serve as a barrier to replacing current equipment with newer, presumably improved (here I mean basic functionality, capability-, speed-, accuracy-wise, but to a lesser extent IoT) devices.

        1. Bob

          My info may be somewhat outdated because it’s 20 years old. Back then, an acquaintance of mine worked for a company that made medical devices. He told me that any change, other than a configuration file change, to the software in the device required complete re-approval by the FDA, which generally took a year and a lot of money.

          1. Diz_

            Bob, this is still the way but more strict. Any major software or firmware revision requires the manufacturer to validate the code over again, have the vendor verify the results and do their own validation if necessary. After this process the information has to be on hand in the event of an FDA audit. Minor ticks in the software revision require a host of change control paperwork to validate any new user requirements or minor changes in the software. It goes beyond the medical devices though which drives up the cost of these security verifications/certifications for any device. Even an ERP system or MES system that handles manufacturing data for these devices will go through the same validation processes since they serve data related to these products. The amount of man hours and money spent handling these things at the company I work for is astronomical. On the upside no one has died and the FDA hasn’t shut us down.

            1. Stromination

              “On the upside no one has died ”

              That’s a pretty darned good upside right there. Illustrates nicely WHY cutting corners on this kind of testing is bad idea.

              1. Diz_

                This push for government regulations on IoT and cyber-security is great and all. I’m happy to be part of an IT group that takes software QA, validation, and compliance seriously. Although no matter how much effort the government puts in, at the end of next year there will still be companies that refuse to comply with NIST and DFARS who will try to make a final product push before being fined and blacklisted. That has me worried honestly because people will die and its inevitable due to corporate greed, lack of resources, etc.

  4. Scott

    This covered quite the breadth. Things appear to be really accelerating in infosec.

  5. Drone

    “The Mayo Clinic reportedly spends roughly $300K per medical device to perform security assessment, and they have thousands of models of devices…”

    Then the Mayo Clinic should sell their security assessment service, much like myriad other testing, certification, and calibration laboratories do. Once security certification is deemed mandatory, duplicating the same work that Mayo is doing across thousands of hospitals is not only wasteful, it is stupid.

    At the absolute most, the Government should simply mandate that security be tested and certified and that the non-government entity (or entities) doing the work be held both criminally and civilly liable for their certification.

    That is ALL the government should do! No more.

    Creating yet another bloated, wasteful, dysfunctional, union-controlled Government Behemoth to do connected device security assessment and certification, is WORSE than doing nothing!

    1. Herb Clann

      Union controlled in the Federal Government? Where does this exist? LOL.

      1. Drone

        @Herb Clann said: “Union controlled in the Federal Government? Where does this exist? LOL.”

        Look no further than your local public High School as an example.

    2. Joe

      I agree, but you know the government will get deeply involved.
      Too many people are dependent on government taking care of everything! Government can’t even do what there are supposed to do correctly!

    3. NoTalentHack

      Because that strategy worked so well in preventing the financial crisis of 2008. Firms like Moodys, S&P, and Fitch rubber stamped all those mortgage related securities with so many AAA ratings that the “A” key wore out on their keyboards.

    4. Jim

      Oh, mama get out the boots, the “s!!t” is flowing deep from that one.
      Okay, where is the Union involved in that one? China? USA? Where? They are a physical job product, like nurses, and ditchdiggers. Not programmers. Otherwise there would have been rules on the line that say, do the job the right way, yeah,dummies, they have rules that they, the Union worker have to follow, like do the job the right way. Not half assed, like most non union worker. Part of the Union compact is no one dies. Everyone takes home at the end of the workday. And the product they make, from a ditch to a space station, works the way it’s supposed to work. I cannot say that for others. My word, blaming others for your fault.

  6. Chris Nielsen

    I think the Chinese are just taking the data to make money marketing to phone users. If you can build a very specific demographic of your users advertisers will pay a premium to reach them. I had not thought of this before, but are their firewalls for smart phones that could be configured to block this outgoing data? Blocking the incoming ads might be interesting as well, but you’d have to fake the ads being seen so the company doesn’t catch on…

  7. Gunter Königsmann

    As security is a moving goal just checking devices for basic security standards (aka common security issues that are already well-known at the time the device is shipped) won’t help much against any issues but the most trivial ones. Not that a big percentage of the devices on the marked doesn’t have trivial issues, currently…

  8. IRS ITUNE cards

    More reasons not to trust anything made in China.

  9. David

    Yet another pat on the back for you!

    Being a pro-active person, I messaged Amazon UK to ask were they aware of this issue. Their reply? “If you’ve any queries we advise contacting the phone’s manufacturer.” My draft reply? Highly offensive and which cost me £1 in my wife’ swearbox (for holidays). My actual reply is herhttps://www.facebook.com/AmazonUK/posts/1810113385702783?comment_id=1810122492368539

    Have you Amazon contacts in the States who’ll get off their backsides and act?

    1. Darron Wyke

      Why are you picking on Amazon? It’s not their job to ensure that you’re being sold a safe product.

      1. david

        Why not ‘pick on Amazon’? They have a legal duty to ensure that what they sell is ‘fit for purpose/safe’. Is it different in the States?

  10. Hampton DeJarnetter

    Thanks, Brian, for this first-class report. IoT security is an immense problem. Discussions of how to form a solution can only begin when we have solid facts. Technologists and legislators rely on reporters to dig up, verify, and publish these facts.

  11. tracka

    Huawei hardware is found throughout the telecommunications infrastructure of western countries like the UK. ( https://www.ft.com/content/24bbea6e-ce87-11e2-ae25-00144feab7de )

    Is the UK government concerned that a foreign power could, if this hardware is remotely controllable, hamper the national communications system?

    It appears not; why they have even involved the Chinese in the building of new nuclear power stations! A “golden era of partnership”

    I hope this is unnecessarily alarmist and these two examples are not connected. After all, it’s not as if Chinese nuclear technology and telecommunications technology fall under the same organisational control – the chance of being able to remotely control a nuclear power station has to be as remote as say closing down an A&E Hospital department by a cyber-attack.

    It will never happen – we (all) hope. The British and the Chinese are very chummy now that Britain is turning its back on its European trading partners. The grovelling is embarrassing.

  12. Jim

    And how is this different from Apple, Windows, Android? Or att, sprint, Verizon tracking, and ad insertion? I know, someone figured out, where it’s going. Unfortunately, the only device that didn’t do that, went bankrupt,
    I still have not figured out why, iot is needed. Or why a consumer cannot “open” a device. Remember even lightbulbs have this ability.

  13. C/od

    Enough of the PC crap here! The Chinese are COMMUNIST and want our Real Estate ,called the USA. Communist are Liars, Thieves and Murderers.
    Their form of justice comes from the end of a gun barrel!
    The very “same people’s” (Communists) pictures that were on Christmas Ornaments on the U.S. People’s Christmas Tree in the White House, decorated by the Obama Staff!!!! Get it!!!

    Until all the manufacturing of our products are removed from any and all Communist countries as well any of our enemies, then we will have this going on -period.

    1. DavidD

      Don’t worry. With the new administration coming in on 1/20/2017 the manufacture of all electronic devices purchased by Americans will be coming home from the PRC and be relocated to Pennsylvania and Michigan. Our new Leader has said so. You can now breathe easier.

    2. Harry_Dyke

      Jeez, calm down, c/od. Your team won the election. Time to put aside all your anger and hatred and get on with whatever you deplorables consider a “fix” for US problems. The time for bitter comment-section ranting is behind you now.

  14. Flitch Plate

    I agree with Calvin: it should be “number one story” across the public media sphere. The Signal Corps is not ignorant to this. Why is this national security matter not the top of the political agenda and public discourse? For the very fact that it is such a significant national security matter. Its hybrid warfare at its best (or worst). And its existence as well as its deepest elements are secret.

    This uncontrolled IoT connectivity is a subversive (by nature of its invisibility; and perhaps by the nature of its motive and who is behind it) deployment of globalized digital assets and infrastructure with hints of “SkyNet”. Did you hear Henry Kissinger interviewed last week about D Trump’s win? He said that encroaching IA may be a greater threat than the likelihood of thermonuclear war.

    Don’t think this is off the radar in the western security and military establishment. Cyber dimension integration and the resulting vulnerability/growing capacity is exactly what governments wants for themselves (whether its access to Google Mail, cell phone encryption, Microsoft auto up-dating and security management or hardware connectivity and device control mechanics). Who hasn’t taped over the video lens on their lap top or monitor? Who trusts their firewalls?

    Business’s greed will ensure government’s opportunity. The commercial drivers behind on-line real-time GIS analysis, device tweaking and content pushing are just a too attractive way to get money for nothin’.

    This (on-going) story exemplifies the deepest vulnerability in the pervasive, all-of-government/all-of-society warfare operations of today’s version of the cold war. There is nothing hyperbolic about the capabilities and threats being exposed here. Who will get control over the battlespace?

  15. IDtheTarget

    I’ve got one major problem with the proposed solution of creating a new federal agency to regulate IoT/embedded security. There would have to be stringent safeguards to ensure that the NSA doesn’t embed their own back doors. The arrogant bastards have compromised American security in the name of being able to intercept foreign communications. I can’t trust my own routers and switches, thanks to the ‘features’ that NSA has ensured get installed.

  16. rick sroka

    Just look at what Google senior security engineer Darren Bilby said, we should use white list. This issue with the phones shows you whitelist is safe !

  17. Mike

    By the time all this actually makes it to the masses (the boots on the ground as it were), most people won’t even think about it. It all just gets lumped in with a thousand other things that everyone will assume is takin care of with the next update. At the very least, it won’t be an issue with the next iteration of the device.

  18. Mike Simanyi

    This is now being covered by the NY Times, which is kinda nice to see.

    Having been a reader on this site for quite some time, and even prior to that being entirely skeptical about security, I have virtually no interest in internet connected dishwashers, refrigerators, washing machines and door locks.

    But I recently completed a home rebuild, and value the functionality of internet-connected thermostats and sprinkler systems. What router settings can we configure that might help prevent such devices from being used in such an attack?

    1. vb

      Using an internet-connected thermostat is a bad idea. Here’s what a hacker could do if you live in a cold climate and are out of the house for an extended period of time: turn off your heat on a freezing cold winter day (like -10 F). long enough to let the water pipes freeze and crack, turn on heat again. The cracked pipes all spout fountains of water throughout the whole house.

      I’ve seen this happen after a extended power outage. It’s not pretty.

      1. tracka

        An internet connected thermostat can “leak” all sorts of info.

        A hacker sees a house normally has its thermostat set at 23C (~70F?) and then for a fortnight it is set at 10C.

        Owners away on holiday – safe to burgle?

        So-called smart utility meters have a similar risk.

    1. Mike

      I suggested a long time ago on this site that the iPhone was not safe or all that secure.

      It all just amounts to wearing blinders.

  19. Sam

    Ok so in summary is it fair to say that people’s data is getting Shanghai’d?

  20. tacitus

    Amusing to see the typical knee-jerk rejection of government regulation in the comments when the IoT hacks are already taking place in the total absence of government regulation.

    As was made clear in the story, manufacturers are not going to voluntarily raise the costs of their devices to cover the additional costs since it will put them at a hopeless disadvantage against less responsible companies who are only interested in shifting as many units as they can.

    Threats of lawsuits are laughable. First of all, the damages recouped, if any, would come after the harm was done, and the deep-pocketed corporations will simply employ armies of lawyers to (a) minimize the settlement and (b) stave off any settlement for years. (c.f. Exxon Valdez). Hence using the court system to solve this problem is just your typical libertarian magic fairy dust.

  21. Matt K

    A good first step would be banning any device with an internet connection that comes from China. That would solve a lot of problems right there.

    I’m also very disappointed in the lack of response from Blu. Are they going to continue doing business with Adups? That’s something we need to know.

    1. Mike

      “A good first step would be banning any device with an internet connection that comes from China.”

      Oh, you mean like iphones and computers? Do you have any idea how much technology Foxconn produces?

  22. Terry Bowden

    Adobe exposed 38M users, gets a $1M fine, which works out at 2.6 cents per account exposed. I wonder if each and every victim feels satisfied at this 2.6 cent penalty.

  23. Leigh Pankhurst

    I predicted this years ago. When the Chinese started making tech to sell to the West, specifically consumer comms tech, I said repeatedly to anybody who would listen, that I wouldn’t trust anything manufactured by a company from a country that has absolutely no regard for human rights and particularly user data privacy. I was just beginning to warm to Huawai as the electronics retail store I work in sell their phones and tablets. Now I know my initial assessment was correct: Chinese comms tech is riddled with spyware.

  24. Nicole

    Why not put the liability on the importer like the FDA does with imports on food? For example I contract a foreign company to process ginger. I have to make to sure the company I’m contracting meets U.S. Food safety regulations. I go over, perform food safety audits that match HAACP and when the product arrives at the U.S. I set up a testing protocol to test for biological, or chemical hazards. Its an added check to make sure that my overseas co0packer is following the food safety management plan. Obviously the type of audits and quality control protocols would be different for IoT devices.

  25. Tom

    “This behavior cannot be detected by mobile anti-virus tools because they assume that software that ships with the device is not malware and that it is white-listed”

    This assumption is at the core of many problems with devices today – especially Androids, but even computers.

    Operating systems that come with pre-bundled software like crappy antivirus software (see: McAfee) or other things you really don’t want laid the ground for this sort of problem. It’s nothing less than exploiting the customer for a few more bucks, and no wonder the Chinese are taking advantage of it.

    This loop needs to be closed yesterday, and customers must have control over what their pre-installed OS includes.

    1. Mike

      The iPhone cannot be excluded from this……perfectly clean and useful items that just disappear, often with an update.

      What your describing is the result of people being perfectly happy transferring all responsibility to someone else. No one cares to understand the technology. Everyone is convinced that don’t need to. The world is overwhelmingly caught up in that flashing 12:00 syndrome.

  26. nemo

    “aren’t insufficient” is probably meant to be “are insufficient” or “aren’t sufficient”.

  27. Error

    E to develop the tool to monitor user behavior ostensibly for the purposes of customer support and to identify junk text messages and calls.

Comments are closed.