Sometimes covering tech news requires sitting back a few days and letting something play out. While often it may not be necessary to delay coverage, when it came to the story this week about certain Nokia 7 Plus models ‘sending data to China’ we decided to let the information flow out before jumping on the Fear, Uncertainty and Doubt coverage train.
Now the news has had time to settle, HMD Global has had time to investigate. While there are still a few unanswered questions, the issues certainly aren’t as alarming as it was originally reported by some outlets. As best as we can tell, and taking HMD Global on their word a little (which at this stage we are happy to do), the whole issue centers around an ‘Activation app’ that comes with Nokia phones.
The normal function of the app outside of China, where HMD have a big presence, is that at activation the device will communicate with a server in Singapore (an AWS server under HMD Global control). However, in China, variants communicate with a different server located in China. According to HMD Global, a batch of international Nokia 7 Plus devices was incorrectly connected to the Chinese server instead of the AWS instance.
For affected devices dialing China, it seems they were sending the device IMEI, MAC ID, and the SIM ICCID along with the local tower data, all logged against the time and date. What’s worse, is that this data was apparently sent every time the phone was powered on or the screen was unlocked or activated. Again, this behavior seems to be restricted to devices intended to ship in China so not all Nokia phones are sending this data all day every day.
So, in short, the answer posed in the headline is no – your Australian Nokia devices are extremely unlikely to be affected.
HMD has already released a patch for the issue which was included in the March 2019 OTA security update. According to HMD, only a select batch of Nokia 7 Plus devices were affected and all of them are eligible to download this patch. Their internal records show that ‘almost all’ affected devices have installed the patch. We’ve reached out to HMD Global in Australia and asked for comment if any of the affected batches could have been sent to Australia. We’ll let you know if we hear back.
If you’ve got a Nokia 7 Plus and are worried the solution is easy, check if you have the latest update, if not spam that update button and all will be well. To update a Nokia 7 Plus go to Settings -> System -> Advanced -> System Update -> Check for Update. If you want to be double sure check the build number, go to Settings -> System -> About Phone -> Scroll down to “Build Number”, if it shows “00WW339BSP03” or “00WW322CSP05” you’ve got the updated version. NOTE: Having the latest version DOES NOT mean your devices was originally affected.
The real story for us is the growing body of evidence surrounding Chinese surveillance of its people. None of this is overly surprising, but it’s comforting to think that it’s normal to have all of the information logged so regularly in China. The other interesting aspect of this is the potential implications of the European General Data Protection Regulation (GDPR) for HMD Global.
It’s very possible that this activity contravenes that regulation, and even if unintentional, HMD Global is likely to face investigation and possible fines in relation to the breach.
This story isn’t over yet folks.
Unfortunately Duncan, your claim that this issue does not affect Australian users is only valid for the official Australian variant. Frustration with HMD not allowing the full top spec variants of their devices to be sold here, drives users to go grey-market on ebay and elseweb, and as a consequence there are users here who do have the Chinese market models. So YES, this issue DOES affect Australian users. The REAL SOLVE for this problem is simple: For manufacturers to offer the full top spec versions of their devices here. Do that and there would be far less need to… Read more »
Jeni, As we’ve said devices sold in Australia are unlikely to be affected, we have asked for official comment. Yes if you imported a device from a country that got affected stock then that may be affected. Only certain batch/s of the Nokia 7 Plus were affected. Even more this shows the importance of understanding the risks of grey imports. If you’re importing devices with software intended for markets with different regulatory requirements then you may be placing yourself at risk. The Australian market is unfortunately to small to get all variants of all devices. Sony’s inability to turn a… Read more »
This news is of particular interest to me just now. I have been looking to get a new phone, and one of the questions is how secure are the various brands. A friend of mine who works in IT and looks after the IT security for his firm, tells me that security is now the number 1 consideration when buying a phone. Its more important than the hardware specs. He actually moved his whole family over to iPhones for this very reason. With the concerns growing over the various Chinese brands, I find it disturbing that some Nokia phones have… Read more »
Avoid Chinese made phones, so buys an iPhone made in China?
You guys need a tin foil hat 😉 Basically every phone made in China, and even if it’s not like the S10 and the Pixel that you pointed out, do you think there aren’t any components in there and semiconductors that aren’t made in China? The iPhone is also made in China. I hope your IT friend knows that. Also, the majority of back doors, malware, spying, GPS tracking happen from apps and not the OS itself. I’d trust a smart and savvy user with a Chinese made phone, over a dumb user with a non-Chinese made phone to stay… Read more »