An undisclosed number of Nokia 7 Plus smartphones have been caught sending their identification numbers to a domain owned by a Chinese telecom firm.
The handsets spaffed the data in clear text over the internet to a server behind the domain vnet.cn, which appears to be owned by China Telecom. The HTTP POST requests from the devices included IMEI numbers, SIM numbers, and MAC identifiers, which can be potentially used to identify and track the cellphones.
According to HMD Global, which bought the Nokia phone business from Microsoft in 2016, a limited number of Nokia devices have been communicating by mistake to "a third party server."
"We have analyzed the case at hand and have found that our device activation client meant for another country was mistakenly included in the software package of a single batch of Nokia 7 Plus," an HMD Global spokesperson explained to The Register in an email. "Due to this mistake, these devices were erroneously trying to send device activation data to a third party server."
The company's spokesperson did not respond to requests to say how many phones are in "a small batch" or to confirm the software was intended for phone activation in China.
In January, security researcher Dirk Wetter identified a GitHub repo with Java code designed to handle some form of Android device registration, credited to Qualcomm, that includes the vnet.cn domain and a reference to China Telecom.
According to a
whois lookup, vnet.cn is registered to China Telecom.
Haha! Conformist 'Droids! Yep, that's what's most profitableREAD MORE
HMD insists "no personally identifiable information has been shared with any third party" and the the data sent was never processed – presumably because the activation attempt would fail in the absence of account data associated with an actual telecom customer in China.
The Finnish phone maker says a patch to fix the activation software in affected phones was released in February and nearly all these devices have installed it. The biz adds that collecting activation data is standard practice in the telecom industry and that it "takes the security and privacy of its consumers seriously."
So too does Finland's data protection ombudsman Reijo Aarnio, who is looking into the incident for possible data protection law violations, according to Reuters.
While HMD may have run afoul of the EU data protection regime, its misplaced activation software looks less problematic than apps and SDKs that transmit sensitive data deliberately. ®