[duked]

H guys, I'm one of the researchers with kryptowire if you have any questions

[ohashi]

How can someone detect if their phone has this backdoor installed?

[duked]

The thing is these are system apps so not easy to analyze unless you're root. What you can do is use observe your device traffic and see if any of these domains are pinged:

    bigdata.adups.com (primary)
    bigdata.adsunflower.com
    bigdata.adfuture.cn
    bigdata.advmob.cn

Then check the content of the POST request (usually to url/mobileupload.do )

[redwards510]

Sir, this is HN. You may assume we are root.

[csoghoian]

This seems very similar (or perhaps even worse) than the fact pattern in the HTC/Carrier IQ case. https://www.ftc.gov/news-events/blogs/business-blog/2013/02/...

Did you provide the Federal Trade Commission with an advance copy of your report, or just DHS? If not, why not?

[duked]

We did work with DHS and notify all the parties ahead of the press release. We also remember carrierIQ ! We have a comparison table here: http://www.kryptowire.com/adups_security_analysis.html

[csoghoian]

So you didn't tell the Federal Trade Commission, even though they previously investigated (and punished) HTC for doing something similar?

[tombrossman]

Curious, do security researchers typically liaise with the FTC when vulnerabilities are discovered? This and your parent comment seem to imply a 'yes' but this doesn't seem like an obvious connection (to me at least). I would expect the first point of contact at DHS to flag this for other agencies' attention if they felt it was necessary. Should DHS feel territorial about this and be reluctant to contact outside agencies that's on them, not the researcher.

I wonder if many security researchers know to routinely shop their findings to multiple agencies independently. It doesn't seem like this is common knowledge.

[csoghoian]

DHS is a law enforcement agency, which regularly uses surveillance techniques, some of which exploit security flaws in devices and software. When you share information about security flaws with DHS, you're sharing them with ICE and the Secret Service.

The FTC, in contrast, is a consumer protection agency. They don't kick down doors and they don't arrest people.

And yes, many security researchers have shared their prepublication research with the FTC.

[McKayDavis]

From the article: "Kryptowire took its findings to the United States government. It plans to make its report public as early as Tuesday."

Can you share the report yet?

[duked]

Not sure about our policy for sharing the report but we have a slightly more technical version on our blog: http://www.kryptowire.com/adups_security_analysis.html

[Nrsolis]

Hey duked. I just returned from Hong Kong (on vacation) and used two BLU Advance 5.0 phones as burners for use while in-country. I take precautions whenever I travel overseas.

I've got two phones here that were used during my trip there. I was wondering if you had any tips for figuring out of they were compromised or otherwise owned while I was out there.

[duked]

Hi, our findings are specific to the BLU R1HD. What you can do is have man in the middle proxy for your device and look at the traffic. Funny enough we actually bought the R1HD for the same reason as you... We had a conference in Taiwan and wanted a burner and BLU looked awesome for the price ;)

[Nrsolis]

That was my thinking as well.

I do INFOSEC for a living and needed to make sure I wasn't bringing back any compromised devices when I returned. So far, the two phones have remained powered down while I come up with a plan to examine them.

It would be interesting to see if they are loaded with malware out of the box or if there is something going on when they are used in country.

[bitmapbrother]

You can start by not buying cheap Chinese Android phones and hoping for the best.