HMD Global says some Nokia 7 Plus devices accidentally sent sensitive data to China
Europe is very, very serious about data privacy. The European Commission doesn’t tolerate when companies leak or consciously send the data of users without their approval. Inventing the GDPR (General Data Protection Regulation) should have sent the right message, but, apparently, some companies still mess up every now and then. The latest instance that turned some heads concerns the Finnish company HMD Global and their Nokia 7 Plus.
According to NRKBeta, they received a tip last month concerning the Nokia 7 Plus handset. The reader of the portal found out after analyzing the network traffic that the device was sending some very sensitive data to Chinese servers. What’s even more, the data was completely unencrypted, which made it vulnerable to be exploited not only by Chinese authorities but also by anyone who knows how to pull off a simple man-in-the-middle (MITM) attack. Here are the types of information that were sent to the Chinese servers:
- IMEI1 and IMEI2 – the device’s unique serial number;
- SIM1CELLID – ID of the base station the device is connected to;
- SIM1LTEIMSI – ID of the 4G network user;
- SIM1ICCID – SIM card identification number;
- MACID – MAC address (unique identification number) of the WiFi.
NRKbeta claims that all of this information was sent to the vnet.cn domain. A quick search tells us that the domain is owned by the state-controlled China Telecom. Finnish Data Protection Ombudsman, Reijo Aarnio contacted the publication and confirmed that his team and security experts will start investigating the event. Later on, HMD Global has made the statement, where they mention this case is an error with only one production batch of the device. They claim that they already sent out the software update that fixes the issue and most of the users have already installed it.
We have analyzed the case and can confirm that there has been an error in the packing process of software in a single batch of a telephone model, which by mistake attempted to send activation data to a foreign server. The data was never processed and no personal information was shared with third parties or authorities.
It is currently unknown if any of the authorities have looked into the issue. As of now, it seems to be only affecting the Nokia 7 Plus device, which is also released in China. HMD Global didn’t answer NRKbeta‘s question about if they’re required to send the mentioned data from the Chinese devices.