Does the Nokia 7 Plus data leak found in Norway affect Australian users?

Sometimes covering tech news requires sitting back a few days and letting something play out. While often it may not be necessary to delay coverage, when it came to the story this week about certain Nokia 7 Plus models ‘sending data to China’ we decided to let the information flow out before jumping on the Fear, Uncertainty and Doubt coverage train.

Now the news has had time to settle, HMD Global has had time to investigate. While there are still a few unanswered questions, the issues certainly aren’t as alarming as it was originally reported by some outlets. As best as we can tell, and taking HMD Global on their word a little (which at this stage we are happy to do), the whole issue centers around an ‘Activation app’ that comes with Nokia phones.

Ausdroid is Advertising Supported

The normal function of the app outside of China, where HMD have a big presence, is that at activation the device will communicate with a server in Singapore (an AWS server under HMD Global control). However, in China, variants communicate with a different server located in China. According to HMD Global, a batch of international Nokia 7 Plus devices was incorrectly connected to the Chinese server instead of the AWS instance.

For affected devices dialing China, it seems they were sending the device IMEI, MAC ID, and the SIM ICCID along with the local tower data, all logged against the time and date. What’s worse, is that this data was apparently sent every time the phone was powered on or the screen was unlocked or activated. Again, this behavior seems to be restricted to devices intended to ship in China so not all Nokia phones are sending this data all day every day.

So, in short, the answer posed in the headline is no – your Australian Nokia devices are extremely unlikely to be affected.

HMD has already released a patch for the issue which was included in the March 2019 OTA security update. According to HMD, only a select batch of Nokia 7 Plus devices were affected and all of them are eligible to download this patch. Their internal records show that ‘almost all’ affected devices have installed the patch. We’ve reached out to HMD Global in Australia and asked for comment if any of the affected batches could have been sent to Australia. We’ll let you know if we hear back.

If you’ve got a Nokia 7 Plus and are worried the solution is easy, check if you have the latest update, if not spam that update button and all will be well. To update a Nokia 7 Plus go to Settings -> System -> Advanced -> System Update -> Check for Update. If you want to be double sure check the build number, go to Settings -> System -> About Phone -> Scroll down to “Build Number”, if it shows “00WW339BSP03” or “00WW322CSP05” you’ve got the updated version. NOTE: Having the latest version DOES NOT mean your devices was originally affected.

The real story for us is the growing body of evidence surrounding Chinese surveillance of its people. None of this is overly surprising, but it’s comforting to think that it’s normal to have all of the information logged so regularly in China. The other interesting aspect of this is the potential implications of the European General Data Protection Regulation (GDPR) for HMD Global.

It’s very possible that this activity contravenes that regulation, and even if unintentional, HMD Global is likely to face investigation and possible fines in relation to the breach.

This story isn’t over yet folks.

Last modified on 23 March 2019 9:47 am

" Duncan Jaffrey : @Dunofrey Duncan has been interested in technology since coding "Mary had a little Lamb" in Basic on his ZX Spectrum. A fan of all things Android, most days you'll find Duncan trawling the web for Android news or quietly editing away on Map Maker.."

View Comments (5)

  • This news is of particular interest to me just now. I have been looking to get a new phone, and one of the questions is how secure are the various brands. A friend of mine who works in IT and looks after the IT security for his firm, tells me that security is now the number 1 consideration when buying a phone. Its more important than the hardware specs. He actually moved his whole family over to iPhones for this very reason. With the concerns growing over the various Chinese brands, I find it disturbing that some Nokia phones have been found to be passing data to a Chinese URL associated with a Chinese state owned company. This raises a number of questions. Are all phone brands required to do this in China? What about the Chinese brands, are they required to do this for all their phones irrespective of where they are sold in the world? And, do we only know any of this because the data was not encrypted?

    My IT friend told me just a few days ago to avoid Chinese made phones as there was the possibility they may be compromised by either built in spyware, or microcode in the processors themselves. And while there is no direct proof of this so far it seems, I would rather be safe now than sorry later. As Nokia phones are not, as far as I know, considered a Chinese brand, this news comes as a shock. I was actually looking at Nokia as I thought they were a "safe" brand. Especially as they come with Android One, and are marketed as being more secure than bands that have poor or non-existent software update reputations. So based on what my friend tells me, I think there are only 3 brands of phone in Australia that can be considered reasonably secure - Samsung's flagship phones, Google Pixel phones, and iPhones. The Samsung and Google phones appear to follow Googles own update policy, and are supported with 2 OS version upgrades, and 3 years of security patches, while the iPhones come with 4 years of both. Currently I own a Samsung S7, and have received the 2 OS version upgrades, and am still receiving security patches. So it looks like my next phone will be either the new S10 or a Pixel. I am an Android guy after all, and do not want to go over to the dark side.

    • You guys need a tin foil hat ;)

      Basically every phone made in China, and even if it's not like the S10 and the Pixel that you pointed out, do you think there aren't any components in there and semiconductors that aren't made in China? The iPhone is also made in China. I hope your IT friend knows that.

      Also, the majority of back doors, malware, spying, GPS tracking happen from apps and not the OS itself. I'd trust a smart and savvy user with a Chinese made phone, over a dumb user with a non-Chinese made phone to stay safe in the internetssss.

      Cheers

  • Unfortunately Duncan, your claim that this issue does not affect Australian users is only valid for the official Australian variant.
    Frustration with HMD not allowing the full top spec variants of their devices to be sold here, drives users to go grey-market on ebay and elseweb, and as a consequence there are users here who do have the Chinese market models. So YES, this issue DOES affect Australian users.

    The REAL SOLVE for this problem is simple: For manufacturers to offer the full top spec versions of their devices here. Do that and there would be far less need to go grey market, apart from trying to beat the Australia Tax.

    • Jeni,

      As we've said devices sold in Australia are unlikely to be affected, we have asked for official comment.

      Yes if you imported a device from a country that got affected stock then that may be affected.

      Only certain batch/s of the Nokia 7 Plus were affected.

      Even more this shows the importance of understanding the risks of grey imports. If you're importing devices with software intended for markets with different regulatory requirements then you may be placing yourself at risk.

      The Australian market is unfortunately to small to get all variants of all devices. Sony's inability to turn a profit in Australia tells that story.

Leave a Reply

Your email address will not be published. Required fields are marked*