On Thursday, major news firm of Norway, NRK reported about an issue where several units of thewere inadvertently sending personal information to a Chinese server. These units were sold in the Norwegian market but quickly raised grave concern when the communication between the handset and Chinese server were discovered.
The report found that personal information about the device, including GPS coordinates, SIM card number, and the devices serial number were being transferred to the server, unencrypted. This was happening whenever the phone was switched on, screen fired up, or the phone was unlocked. This behavior is typical of smartphones intended for the Chinese market.
Nokia 7 Plus
The domain name of the server is vnet.cn which is the CNNIC or China Internet Network Information Center. The owner of the domain is China’s state-owned China Telecom.
More than likely what happened was that a piece of software that was intended for Chinese variants of the Nokia 7 Plus slipped through the cracks and ended up being installed on a single batch of Nokia 7 Plus’ headed for the Norwegian market. HMD Global pushed a firmware update that removed the China-specific application for the Norwegian market.
The incident caused Finland’s data regulator to launch an investigation against HMD Global regarding the incident, as it directly violated the GDPR guidelines for user data that the European Union launched last year. The violation is on the grounds that SIM card number, base stations, and serial number of a device are all considered personal information.
We’ve seen this kind of thing happen in the past with OnePlus’ Oxygen OS and clipboard data that was. Although the information wasn’t actually sent, the code discovered was residual code from Hydrogen OS – Chinese variant of OnePlus’ UI – it was discovered by an amateur developer.