Are the Chinese Reading your Texts Right This Minute?
About 700 million Android phones were sending the contents to a server address in China every 72 hours. The owners of the phones had no idea it was happening. The data known to be extracted included:
- Location information (where you were, at all times)
- Call logs (who you spoke with)
- Text messages (including deleted messages)
- Contact lists
The backdoor was in the firmware in a chip of a component part that was supplied to a large number of Asian phone manufacturers and at least one American one. It was only discovered when a security analyst bought a $50 infected phone for testing and noticed an unusually high level of network traffic when he powered it up.
Was this a one-off occurrence?
Roughly 5 to 6 new Android phones are released by manufacturers on the worldwide market every day on average. The greatest growth surge is in the Asian market where there is a proliferation of extremely cheap devices. Intense price competition means that manufacturing costs must be kept low, which invites supply of the cheapest components whose cost may be secretly subsidized by an interested party. The company involved, Shanghai AdUps Technology, supplies software to phone component manufacturers that can also remotely install apps on a smartphone and update them on demand.
Just how private is my phone’s data?
Forget any notion that a simple passcode keeps your phone data confidential. There are companies, many of them, who specialize in developing and selling equipment that can crack most any phone’s security and suck out the data contents in seconds. Those companies sell that hardware to government security agencies like the FBI and NSA both domestic and foreign, police forces, corporate clients, and most anybody who can pay the price. They may present a veneer of ethics by checking the credentials of potential clients but that is a flimsy defense against allowing the equipment to fall into the “wrong hands”. That is in addition to the shadier activities of software and component suppliers like the China company.
Why would they want my information?
A state actor would have zero interest in the phone data of the average person – only of individuals with access to facilities, organizations or activities (including criminal) of interest to them. The biggest usage by far is in the field of Big Data that is used for marketing or product development purposes by manufacturers and software system vendors. That is the purpose that the Chinese company said was behind their theft of phone data. But don’t for one moment think that a government agency would not suborn that data if the need arose.
How can it be justified?
All nation states have their own specific security interests and prioritized list of targets. They can use the excuse of national security, counter-terrorism, policing criminal activity, or any other rationale they choose. History is littered with examples of government agencies acting outside the law in most any country you choose to name. The Internet enables state actors to easily access any other state, attempt to hack into its agencies, government departments, defense contractors, banks, and even the general population as evidenced by the China mass phone hack.
Why is it so important?
Some people naturally think “what the heck – I don’t care because nobody would be interested in my boring old texts etc.” But that misses the point. Privacy is as vital a concept as freedom of speech or the right to vote. Just because you don’t bother to vote does not mean you don’t care about that freedom or right. Erosion of personal rights is a characteristic of despotic states. Any weakening of those rights and freedoms is a move in that direction.