After KryptoWire’s privacy revelations at the Black Hat conference in Las Vegas last week, Amazon has decided to stop selling Blu smartphones from its site. The e-commerce company cites “security and privacy of our customers is of the utmost importance”, and has announced that it won’t sell Blu phones till the problem is resolved.
The problem first came to light last year in November, when Shanghai Adups Technology, a firm based in China, was caught for having added a backdoor to the firmware of cheap smartphones like the Blu R1 HD sold in the US. At the time, the Shanghai-based firm said it had mistakenly used code for China-based software in these firmware, and remedial measures were soon made. However, researchers at KryptoWire last week once again revealed that Adups' software is still sending data from the Blu Grand M smartphone to the company's server in China.
Because of this revelation, CNET now reports that Amazon has decided to suspend the Miami-based Android company from selling Blu phones on its site. "Because security and privacy of our customers is of the utmost importance, all Blu phone models have been made unavailable for purchase on Amazon.com until the issue is resolved," Amazon said to the publication in a statement.
Blu, on the other hand, denies any wrongdoing, and the company’s spokeswoman said that it "has several policies in place which take customer privacy and security seriously." Furthermore, she asserted that there had been no breaches either. You can read Blu's full statement below.
Information that was collected and transmitted from the back door first found in November, included the full-body of text messages, contact lists, call history with full telephone numbers, unique device identifiers including the International Mobile Subscriber Identity (IMSI) and the International Mobile Equipment Identity (IMEI) from a user's phone. Blu smartphones have been a part of the Prime exclusive program, making it an imperative step for Amazon to intervene and take the necessary steps to ensure its consumers don’t buy potentially unsafe devices.
BLU Products responds to inaccuracies reported by several news outlets making clear that there is absolutely no spyware or malware or secret software on BLU devices, these are inaccurate and false reports. BLU is reaching out to several reporters to correct their articles and issue apologies, which BLU has started receiving.
The original report by Kryptowire issued on November 2016 regarding the Adups OTA application, stated a small fraction of BLU phones had a version of the application which was collecting phonebook contacts and text messages. Since BLU was unaware of this collection, they hadn't notified customers, thus it was deemed as a potential privacy issue. BLU moved quickly and resolved the problem by having Adups turn off this functionality.
Furthermore, BLU decided to switch the Adups OTA application on future devices with Google's GOTA. Even though it is BLU's policy to only use GOTA moving forward, some older devices still use ADUPS OTA.
Using ADUPS OTA is not an issue here. ADUPS is a well-known application used by several device manufacturers around the world. The issue is exactly what kind of data is actually being collected by this ADUPS application, and whether it presents a security or privacy risk.
BLU hired Kryptowire in November of 2016 since their first report to regularly monitor the ADUPS application in their devices, and they have since been doing that. The data that is currently being collected is standard for OTA functionally and basic informational reporting. This is in line with every other smartphone device manufacturer in the world. There is nothing out of the ordinary that is being collected, and certainly does not affect any user's privacy or security. In addition, as per Tom Karygiannis, VP of Kryptowire, the data collection is in line with BLU's Privacy Policy, and does not constitute any wrong doing by BLU.
Regarding that some information may be stored in China servers, their privacy policy clearly states that some of the data collected can be stored in servers outside the US, there is absolutely nothing wrong with having a server in China. BLU management takes issue with the statement that any server in China is prone to risk while several other multibillion dollar companies and other mobile manufactures such as Huawei and ZTE use them.
BLU has several policies in place which takes customer privacy and security very seriously, and confirms that there has been no breach or issue of any kind with any of its devices.
