By Accident or Design? Supply Chain Risks of Chinese-made Devices
• On November 15, 2016, American media outlets reported that Android devices in the United States were found to be transmitting sensitive user information back to a server in Shanghai, China. The total number of known affected devices is 120,000, which were manufactured by Florida-based BLU Products.
• The incident was caused by a third party firmware-over-the-air (FOTA) update service owned by a Chinese company, Shanghai Adups Technology Co., Ltd. The company has stated that the data collection capability was initially created for a mainland China device manufacturer client for the purposes of screening spam texts and phone calls, but it was accidentally deployed on devices that made their way to the United States. The company has since updated the software and claims that the issue has been remedied and the collected data destroyed.
• Flashpoint analysts believe Shanghai Adups’ explanation to be plausible; spam SMS text messages and phone calls are rampant within mainland China, and major efforts have been undertaken to crack down on such activity.
• At this time, Flashpoint cannot link this activity to any known Chinese cyber espionage activity. Analysts assess that China would be unlikely to utilize its international technology companies in such a brazen fashion given the potential consequences (device blacklisting, declined revenues) for their firms and thus the Chinese economy.
On November 15, 2016, numerous media outlets reported the discovery of a “backdoor” in certain Android devices that facilitated the exfiltration of user data to a server in Shanghai, China. The reports cite the findings of U.S.-based security firm Kryptowire, which found that specific devices made by BLU Products utilized a third-party wireless update/firmware-over-the-air (FOTA) application made by Shanghai Adups Technology Co. Ltd. Shanghai Adups’ software was discovered to be transmitting a wide range of user data, such as “full-body text messages, contact lists, call history with full telephone numbers, unique device identifiers including the International Mobile Subscriber Identity (IMSI) and International Mobile Equipment Identity (IMEI).”
According to Kryptowire, the software was designed to bypass various security features within the Android OS; it then delivered the collected data in an encrypted fashion to a remote server in China. The software was reportedly capable of targeting “specific users and text messages matching remotely defined keywords.” According to Shanghai Adups, however, this capability was initially designed at the request of an unnamed Chinese manufacturer for use in mainland China for the purposes of identifying and filtering “junk text and calls by keyword and phone number” and was accidentally deployed on devices later sent to the United States.
The full scope of affected devices is still unclear. Although Shanghai Adups claims to service some 700 million users globally, and many media reports suggest that this many devices may be affected, the true impact is unknown. As of this writing, it is only known that some 120,000 BLU Products Android devices in the United States were affected. Given that Shanghai Adups offers services to a variety of other manufacturers, it is likely that other brands are also affected — although specifics remain unknown. Currently, Flashpoint is unable to independently estimate the full scope and scale of devices affected.
Security incidents follow historical trends; state sponsorship unlikely
Despite widespread speculation that these activities may be linked to Chinese state-sponsored cyber espionage efforts, Flashpoint analysts are skeptical of such a connection. Flashpoint analysts believe Shanghai Adups’ explanation for the initial origin and intent of the software capabilities (identifying and filtering spam texts/calls within China) to be plausible. Spam SMS text messages and phone calls, as well as telephony fraud of all sorts, is rampant within China, and major efforts have been made over the last few years to crack down on such activities. It is also worth noting that many Western technology companies collect similar user data in one fashion or another in order to flag suspicious activity. These efforts aim to protect users from malicious activity such as spear phishing campaigns, enable targeted advertising, enhance user experience, and improve machine-learning algorithms.
This is not the first time such behavior has been discovered in Chinese-manufactured devices. In 2014, Chinese smartphone manufacturer Xiaomi was similarly accused of siphoning user data to China. Additionally, Lenovo — like many other device manufacturers — has previously been found to install “bloatware” on devices prior to shipping. In 2015, Lenovo found itself under fire for pre-installing software dubbed “Superfish”. While Superfish was intended to inject advertisements onto websites browsed by users of the devices, security vulnerabilities within the software enabled would-be attackers to read encrypted browsing data including passwords and other sensitive items. Lenovo apologized for using the software but still faces residual lawsuits. In addition, another vulnerability was discovered pertaining to the “Lenovo Service Engine” in which the service would reinstall itself even after uninstallation. This vulnerability potentially exposed users to “buffer overflow attack and an attempted connection to a Lenovo test server.”
Mounting concerns over electronics supply chain amid China-U.S. tensions
These security incidents, as well as the tense relationship between China and the United States, have renewed concerns over the electronics supply chain. Many fear that Chinese-made devices and/or manufacturers may be compromised or otherwise leveraged by Beijing for the purposes of facilitating cyber espionage efforts.
Yet while Beijing certainly possesses considerable authority to compel individuals and firms operating within China to cooperate, the exploitation of otherwise legitimate Chinese technology firms (especially those present in and reliant on the international market) for cyber espionage purposes would likely pose too great a risk for the potential reward, especially when conducted in a somewhat blatant and target agnostic manner. Moreover, with many Chinese technology companies currently struggling to break into the Western market amid already-high levels of suspicion on both sides, leveraging such companies as a vehicle for cyber espionage would further undermine the Chinese case for acceptance into Western markets. This practice could potentially lead to device blacklists, which may considerably drive down profits for major Chinese technology firms that bring considerable revenue into the People’s Republic of China.
The data leakage and so-called “backdoors” discovered in such incidents may be explained by insufficient security awareness and standards, a lack of effective regulation, and a different conception of personal privacy between the Western world and China. Malicious intent is unlikely. For instance, in both the Lenovo and Adups cases, the lack of a robust, systemic security program may be at fault. This remains an issue for many electronic devices manufactured in China — not just for the mobile market. The Mirai botnet, which was recently involved in record-breaking DDoS attacks against French ISP and hosting provider OVH and U.S.-based DNS provider Dyn, exploited poorly-secured Internet of Things (IoT) devices manufactured in China. Lax default security settings allowed hackers to enslave the devices into massive botnets.
Although these particular cases arose most likely due to manufacturer oversight rather than malicious intent, significant risks remain. Despite the incentive against abusing their supply-chain dominance for intelligence purposes, the Chinese government possesses considerable powers to compel companies and manufacturers to do so. The recent passing of China’s new Cybersecurity Law only expands these powers.
However, these risks are not exclusive to Chinese-based manufacturers. Many non-Chinese firms manufacture and/or assemble their components and devices in the PRC; hence, the threat to the supply chain remains even if using non-Chinese devices. As such, malicious hardware, firmware, or software could be injected at any stage of the process, although the ease with which this is done may differ considerably.