WASHINGTON — For about $50, you can get a smartphone with a high-definition display, fast data service and, according to security contractors, a secret feature: a backdoor that sends all your text messages to China every 72 hours.
華盛頓——花大約50美元(約合340元人民幣),你就可以買到一部帶有高清顯示和快速數(shù)據(jù)服務(wù)的智能手機(jī)。從事信息安全工作的承包商說,這種手機(jī)還有一種秘密功能:它有一個(gè)后門,會(huì)每隔72小時(shí)就把你所有的短信都發(fā)送到中國。
Security contractors recently discovered preinstalled software in some Android phones that monitors where users go, whom they talk to and what they write in text messages. The American authorities say it is not clear whether this represents secretive data mining for advertising purposes or a Chinese government effort to collect intelligence.
從事安全工作的承包商最近在一些安卓(Android)手機(jī)上發(fā)現(xiàn)了預(yù)裝軟件,這種軟件監(jiān)視用戶去過哪里,他們與什么人聊過天,他們?cè)诙绦胖袑懥耸裁?。美國?dāng)局表示,尚不清楚這是一種為了廣告目的而秘密進(jìn)行的數(shù)據(jù)挖掘,還是一種中國政府收集情報(bào)的努力。
International customers and users of disposable or prepaid phones are the people most affected by the software. But the scope is unclear. The Chinese company that wrote the software, Shanghai Adups Technology Company, says its code runs on more than 700 million phones, cars and other smart devices. One American phone manufacturer, BLU Products, said that 120,000 of its phones had been affected and that it had updated the software to eliminate the feature.
受這種軟件影響最大的是國際客戶、臨時(shí)手機(jī)用戶以及預(yù)付話費(fèi)的用戶。但還不清楚其影響范圍有多大。這個(gè)軟件是中國的上海廣升信息技術(shù)有限公司(Adups)編寫的,該公司稱其代碼在超過七億部手機(jī)、汽車和其他智能設(shè)備上運(yùn)行。美國手機(jī)制造商BLU產(chǎn)品公司表示,其12萬部手機(jī)受到影響,公司已更新了軟件,刪除了這個(gè)功能。
Kryptowire, the security firm that discovered the vulnerability, said the Adups software transmitted the full contents of text messages, contact lists, call logs, location information and other data to a Chinese server. The code comes preinstalled on phones and the surveillance is not disclosed to users, said Tom Karygiannis, a vice president of Kryptowire, which is based in Fairfax, Va. “Even if you wanted to, you wouldn’t have known about it,” he said.
發(fā)現(xiàn)該漏洞的信息安全公司Kryptowire說,廣升的軟件將短信的全文、聯(lián)系人名單、通話記錄、位置信息,以及其他數(shù)據(jù)傳輸?shù)揭粋€(gè)中國的服務(wù)器上去。Kryptowire副總裁湯姆·卡拉吉安尼斯(Tom Karygiannis)說,代碼是預(yù)裝在手機(jī)上的,但沒有向用戶披露這種監(jiān)視功能,Kryptowire公司位于弗吉尼亞州的費(fèi)爾法克斯。“即使你想知道,你也不可能知道有這個(gè)東西,”他說。
Security experts frequently discover vulnerabilities in consumer electronics, but this case is exceptional. It was not a bug. Rather, Adups intentionally designed the software to help a Chinese phone manufacturer monitor user behavior, according to a document that Adups provided to explain the problem to BLU executives. That version of the software was not intended for American phones, the company said.
雖然信息安全專家經(jīng)常在消費(fèi)者電子產(chǎn)品中發(fā)現(xiàn)漏洞,但這次的情況很特別。這不是一個(gè)程序錯(cuò)誤。相反,據(jù)廣升向BLU高管提供的解釋這個(gè)問題的文件,廣升有意設(shè)計(jì)了這個(gè)軟件,以幫助中國手機(jī)制造商監(jiān)視用戶行為。廣升表示,帶有上述功能的軟件版本原本不是為美國手機(jī)寫的。
“This is a private company that made a mistake,” said Lily Lim, a lawyer in Palo Alto, Calif., who represents Adups.
“這是家犯了錯(cuò)誤的私人公司,”加利福尼亞州帕洛阿爾托的律師林麗麗(Lily Lim)說,她是廣升的法律代理。
The episode shows how companies throughout the technology supply chain can compromise privacy, with or without the knowledge of manufacturers or customers. It also offers a look at one way that Chinese companies — and by extension the government — can monitor cellphone behavior. For many years, the Chinese government has used a variety of methods to filter and track internet use and monitor online conversations. It requires technology companies that operate in China to follow strict rules. Ms. Lim said Adups was not affiliated with the Chinese government.
這個(gè)問題顯示了處在整個(gè)技術(shù)供應(yīng)鏈中的公司,如何能夠在制造商或用戶知情或不知情的情況下侵害隱私。它也讓人看到了中國公司——進(jìn)而延伸到中國政府——可以監(jiān)視手機(jī)的一種方式。多年來,中國政府一直在使用各種方法來過濾和跟蹤互聯(lián)網(wǎng)的使用,監(jiān)視在線對(duì)話。政府要求在中國經(jīng)營(yíng)的技術(shù)公司遵守嚴(yán)格的規(guī)則。林麗麗說,廣升不隸屬于中國政府部門。
At the heart of the issue is a special type of software, known as firmware, that tells phones how to operate. Adups provides the code that lets companies remotely update their firmware, an important function that is largely unseen by users. Normally, when a phone manufacturer updates its firmware, it tells customers what it is doing and whether it will use any personal information. Even if that is disclosed in long legal disclosures that customers routinely ignore, it is at least disclosed. That did not happen with the Adups software, Kryptowire said.
這個(gè)問題的核心是一種被稱為“固件”的特殊類型軟件,固件告訴手機(jī)如何進(jìn)行操作。廣升提供的代碼讓公司能遠(yuǎn)程更新其固件,這是一個(gè)用戶基本上看不到的重要功能。通常,當(dāng)手機(jī)制造商更新其固件時(shí),它會(huì)告訴用戶做了什么,也會(huì)告訴用戶它是否將使用個(gè)人信息。盡管用戶通常對(duì)這種很長(zhǎng)的法律聲明文本毫不關(guān)心,但畢竟告知了用戶。廣升的軟件則未作有關(guān)聲明,Kryptowire說。
According to its website, Adups provides software to two of the largest cellphone manufacturers in the world, ZTE and Huawei. Both are based in China.
據(jù)廣升的網(wǎng)站,該公司向世界上兩家最大的手機(jī)制造商中興和華為提供軟件。這兩家公司都在中國。
Samuel Ohev-Zion, the chief executive of the Florida-based BLU Products, said: “It was obviously something that we were not aware of. We moved very quickly to correct it.”
位于佛羅里達(dá)州的BLU產(chǎn)品公司的首席執(zhí)行官塞繆爾·奧赫夫-錫安(Samuel Ohev-Zion)說:“這顯然是我們不知道的事情。我們非常迅速地進(jìn)行了糾正。”
He added that Adups had assured him that all of the information taken from BLU customers had been destroyed.
他補(bǔ)充說,廣升已向他保證,從BLU客戶那里獲得的所有信息都已被銷毀。
The software was written at the request of an unidentified Chinese manufacturer that wanted the ability to store call logs, text messages and other data, according to the Adups document. Adups said the Chinese company used the data for customer support.
據(jù)廣升提供的文件,這款軟件是根據(jù)一個(gè)未指明的中國制造商的要求編寫的,該制造商希望軟件有存儲(chǔ)通話記錄、短信消息和其他數(shù)據(jù)的功能。廣升說,中國公司使用這些數(shù)據(jù)提供客戶支持。
Ms. Lim said the software was intended to help the Chinese client identify junk text messages and calls. She did not identify the company that requested it and said she did not know how many phones were affected. She said phone companies, not Adups, were responsible for disclosing privacy policies to users. “Adups was just there to provide functionality that the phone distributor asked for,” she said.
林麗麗說,該軟件的目的是幫助中國客戶識(shí)別垃圾短信和電話。她沒有給出提這個(gè)要求的公司的名字,并表示不知道有多少手機(jī)受了影響。林麗麗稱,向用戶聲明隱私政策的責(zé)任在電話公司,不在廣升。她說,“廣升只不過是按照電話分銷商的要求提供功能而已。”
Android phones run software that is developed by Google and distributed free for phone manufacturers to customize. A Google official said the company had told Adups to remove the surveillance ability from phones that run services like the Google Play store. That would not include devices in China, where hundreds of millions of people use Android phones but where Google does not operate because of censorship concerns.
安卓手機(jī)用的軟件是谷歌(Google)開發(fā)的,并免費(fèi)提供給手機(jī)制造商按照自己的需要改制。一名谷歌負(fù)責(zé)人表示,公司曾告訴廣升,讓其把監(jiān)視功能從運(yùn)行Google Play商店等服務(wù)的手機(jī)上刪除。但這不會(huì)包括中國的設(shè)備,雖然中國有數(shù)億人使用安卓手機(jī),但由于審查的原因,谷歌不在中國運(yùn)營(yíng)。
Because Adups has not published a list of affected phones, it is not clear how users can determine whether their phones are vulnerable. “People who have some technical skills could,” Mr. Karygiannis, the Kryptowire vice president, said. “But the average consumer? No.”
由于廣升尚未發(fā)布受影響手機(jī)的名單,目前不清楚用戶如何能確定他們的手機(jī)是否有問題。“有點(diǎn)技術(shù)能力的人也許能自己解決,”Kryptowire副總裁卡拉吉安尼斯說。“但一般的消費(fèi)者怎么辦?他們沒有辦法。”
Ms. Lim said she did not know how customers could determine whether they were affected.
林麗麗說,她不知道用戶怎樣能確定他們是否受到影響。
Adups also provides what it calls “big data” services to help companies study their customers, “to know better about them, about what they like and what they use and there they come from and what they prefer to provide better service,” according to its website.
廣升還提供被稱為“大數(shù)據(jù)”的服務(wù),幫助公司研究其客戶,“更好地了解他們,了解他們喜歡什么、他們使用什么、他們從哪里來,還有他們的喜好,以為他們提供更好的服務(wù),”公司的網(wǎng)站說。
Kryptowire discovered the problem through a combination of happenstance and curiosity. A researcher there bought an inexpensive phone, the BLU R1 HD, for a trip overseas. While setting up the phone, he noticed unusual network activity, Mr. Karygiannis said. Over the next week, analysts noticed that the phone was transmitting text messages to a server in Shanghai and was registered to Adups, according to a Kryptowire report.
Kryptowire發(fā)現(xiàn)這個(gè)問題的過程既帶有偶然性,也受到好奇心的驅(qū)使??ɡ材崴拐f,公司的一名研究員為一次海外旅行買了一部便宜的BLU R1 HD手機(jī)。在設(shè)置手機(jī)時(shí),這名研究人員注意到不尋常的網(wǎng)絡(luò)活動(dòng)。據(jù)Kryptowire的報(bào)告,在接下來的一周里,分析師注意到該手機(jī)在向位于上海的一個(gè)服務(wù)器發(fā)送短信內(nèi)容,該服務(wù)器注冊(cè)在廣升名下。
Kryptowire took its findings to the United States government. It plans to make its report public as early as Tuesday.
Kryptowire已把這一發(fā)現(xiàn)上報(bào)了美國政府。公司計(jì)劃最早在周二公布其報(bào)告。
Marsha Catron, a spokeswoman for the Department of Homeland Security, said the agency “was recently made aware of the concerns discovered by Kryptowire and is working with our public and private sector partners to identify appropriate mitigation strategies.”
美國國土安全部發(fā)言人瑪莎·卡特倫(Marsha Catron)說,國土安全部“最近獲悉了Kryptowire發(fā)現(xiàn)的問題,正在與我們的公共和私營(yíng)部門合作伙伴一起確定適當(dāng)?shù)木徑獠呗浴?rdquo;
Kryptowire is a Homeland Security contractor but analyzed the BLU phone independent of that contract.
雖然Kryptowire是一家國土安全部的承包商,但公司對(duì)BLU手機(jī)的分析是獨(dú)立于政府合同進(jìn)行的。
Mr. Ohev-Zion, the BLU chief executive, said he was confident that the problem had been resolved for his customers. “Today there is no BLU device that is collecting that information,” he said.
BLU首席執(zhí)行官奧赫夫-錫安說,他確信公司已經(jīng)為客戶解決了這個(gè)問題。“如今已經(jīng)不存在收集這些信息的BLU設(shè)備了,”他說。