分析师：秘密后门将美国手机的数据发回中国 [美国媒体]

Secret Back Door in Some U.S. Phones Sent Data to China, Analysts Say

分析师表示：秘密后门将美国手机的数据发回中国



For about $50, you can get a smartphonewith a high-definition display, fast data service and, according to securitycontractors, a secret feature: a backdoor that sends all your text messages toChina every 72 hours.

约50美元，你可以得到一个智能手机的高精度解析，快速的数据服务，以及根据安全承包商所说的，一个秘密的功能：一个后门，每72小时发送所有信息到中国。

Security contractors recently discoveredpreinstalled software in some Android phones that monitors where users go, whomthey talk to and what they write in text messages. The American authorities sayit is not clear whether this represents secretive data mining for advertisingpurposes or a Chinese government effort to collect intelligence.

安全承包商最近在一些Android手机中发现了预安装的程序，监控用户去往哪里，他们谈论谁，他们在短信中写什么。美国当局表示，不清楚这些秘密数据挖掘是出于广告目的还是中国政府为了收集情报所做的。

International customers and users ofdisposable or prepaid phones are the people most affected by the software. Butthe scope is unclear. The Chinese company that wrote the software, ShanghaiAdups Technology Company, says its code runs on more than 700 million phones,cars and other smart devices. One American phone manufacturer, BLU Products,said that 120,000 of its phones had been affected and that it had updated thesoftware to eliminate the feature.

国际用户和一次性或预付费手机的用户是受这个软件影响最大的人。但范围不清楚。设计该软件的中国公司，上海Adups科技公司，称它的代码在超过7亿的手机，汽车和其他智能设备上运行。一家美国手机制造商BLU公司表示，他们所生产的12万部手机受到影响，不过现在已更新了软件以消除该功能。

Kryptowire, the security firm thatdiscovered the vulnerability, said the Adups software transmitted the fullcontents of text messages, contact lists, call logs, location information andother data to a Chinese server. The code comes preinstalled on phones and thesurveillance is not disclosed to users, said Tom Karygiannis, a vice presidentof Kryptowire, which is based in Fairfax, Va. “Even if you wanted to, you wouldn’thave known about it,” he said.

发现该漏洞的安全公司Kryptowire表示，Adups的程序将所有的文本消息，联系人列表，通话记录，位置信息和其他数据传输到中文服务器。Kryptowire公司的副总裁Tom Karygiannis说，这个代码是预装在手机上的，监控没有将其公开给用户。“即使你想，你也不会知道这个代码。

Security experts frequently discovervulnerabilities in consumer electronics, but this case is exceptional. It wasnot a bug. Rather, Adups intentionally designed the software to help a Chinesephone manufacturer monitor user behavior, according to a document that Adupsprovided to explain the problem to BLU executives. That version of the softwarewas not intended for American phones, the company said.

安全专家经常发现电子消费品中的漏洞，但像这次这种情况是很不同。这不是一个意外。相反，Adups有意设计该程序，根据Adups为了向BLU高管解释此问题所提供的文档显示，设计此程序是为了帮助中国手机制造商监控用户行为。该版本的程序不是针对美国手机，该公司说。

“This is a private company that made a mistake,” said Lily Lim, alawyer in Palo Alto, Calif., who represents Adups.

“这是一家犯了错误的私营公司，”代表Adups公司的在加利福尼亚州帕洛阿尔托的律师Lily Lim说。

The episode shows how companies throughoutthe technology supply chain can compromise privacy, with or without theknowledge of manufacturers or customers. It also offers a look at one way thatChinese companies — and by extension the government — can monitor cellphonebehavior. For many years, the Chinese government has used a variety of methodsto filter and track internet use and monitor online conversations. It requirestechnology companies that operate in China to follow strict rules. Ms. Lim saidAdups was not affiliated with the Chinese government.

该次事件展示了了整个技术供应链中的公司，如何在制造商或客户知情或不知情的情况下泄露隐私。它还提供了一种方式，中国公司 - 并且引申到政府 - 监控手机的行为。多年来，中国政府已经使用各种方法来过滤和追踪互联网的使用并且监视线上交流。政府要求在中国经营的技术公司严格遵守规则。Lim女士说，Adups不隶属于中国政府。

At the heart of the issue is a special typeof software, known as firmware, that tells phones how to operate. Adupsprovides the code that lets companies remotely update their firmware, animportant function that is largely unseen by users. Normally, when a phonemanufacturer updates its firmware, it tells customers what it is doing andwhether it will use any personal information. Even if that is disclosed in longlegal disclosures that customers routinely ignore, it is at least disclosed.That did not happen with the Adups software, Kryptowire said.

问题的核心是一种特殊类型的程序，称为固件，它告诉手机如何运行（驱动程序）。Adups提供的代码允许公司远程更新他们的固件，这是一个重要的功能，这基本上是用户看不到的。通常，当手机制造商更新其固件时，它会告诉客户它在做什么，以及它是否将使用任何个人信息。即使在客户通常会忽略这种例行公事般的询问，但至少公开了。但Adups的程序并没有任何提示，Kryptowire说。

According to its website, Adups providessoftware to two of the largest cellphone manufacturers in the world, ZTE andHuawei. Both are based in China.

根据其网站，Adups向世界上最大的两家手机制造商，中兴和华为提供软件。两家公司都在中国。

Samuel Ohev-Zion, the chief executive ofthe Florida-based BLU Products, said: “It was obviously something that we werenot aware of. We moved very quickly to correct it.”

佛罗里达州BLU公司的首席执行官Samuel Ohev Zion说：“这显然是我们不知道的事情。我们非常迅速的修正了问题。

He added that Adups had assured him thatall of the information taken from BLU customers had been destroyed.

他补充说，Adups向他保证，从BLU客户处获得的所有信息都已经被删除了。

The software was written at the request ofan unidentified Chinese manufacturer that wanted the ability to store calllogs, text messages and other data, according to the Adups document. Adups saidthe Chinese company used the data for customer support.

该软件是根据一个身份不明的中国制造商的要求编写的，该制造商希望能够通过Adups的文档存储呼叫记录，文本消息和其他数据。 Adups说，中国公司使用这些数据来提供客户支持服务。

Ms. Lim said the software was intended to helpthe Chinese client identify junk text messages and calls. She did not identifythe company that requested it and said she did not know how many phones wereaffected. She said phone companies, not Adups, were responsible for disclosingprivacy policies to users. “Adups was just there to provide functionality thatthe phone distributor asked for,” she said.

Lim女士说，该软件旨在帮助中国客户识别垃圾短信和电话。她没有找到当初要求编写此程序的公司，并且她不知道有多少手机受到影响。她说，应该是手机公司，而不是Adups负责向用户说明隐私政策。“Adups只是提供手机经销商要求的功能，”她说。

Android phones run software that isdeveloped by Google and distributed free for phone manufacturers to customize.A Google official said the company had told Adups to remove the surveillanceability from phones that run services like the Google Play store. That wouldnot include devices in China, where hundreds of millions of people use Androidphones but where Google does not operate because of censorship concerns.

Android手机运行由Google开发的软件并可免费为手机制造商定制。Google官员表示，该公司曾告诉Adups从运行像Google Play商店这种服务的手机中移除监控功能。这不包括在中国的设备，在中国有数亿人使用Android手机，但Google由于审查方面的原因而没有运营。

Because Adups has not published a list ofaffected phones, it is not clear how users can determine whether their phonesare vulnerable. “People who have some technical skills could,” Mr. Karygiannis,the Kryptowire vice president, said. “But the average consumer? No.”

由于Adups尚未发布受影响的手机清单，因此不清楚用户如何确定手机是具有漏洞。 “有些技术宅可能可以，”Kryptowire副总裁Karygiannis先生说。 “但一般的消费者？没有这种能力。”

Ms. Lim said she did not know how customerscould determine whether they were affected.

Lim女士说，她不知道客户如何确定他们是否受到其影响。

Adups also provides what it calls “bigdata” services to help companies study their customers, “to know better aboutthem, about what they like and what they use and there they come from and whatthey prefer to provide better service,” according to its website.

根据其网站显示，Adups还提供了所谓的“大数据”服务，帮助公司研究他们的客户，“更好地了解他们，他们喜欢什么，他们用什么东西还有他们来自哪里，以及他们更想要供应商提供什么服务。“

Kryptowire discovered the problem through acombination of happenstance and curiosity. A researcher there bought aninexpensive phone, the BLU R1 HD, for a trip overseas. While setting up thephone, he noticed unusual network activity, Mr. Karygiannis said. Over the nextweek, analysts noticed that the phone was transmitting text messages to aserver in Shanghai and was registered to Adups, according to a Kryptowirereport.

Kryptowire因为好奇和一个偶然发现了这个问题。一个研究员去海外旅行买了一个廉价的手机，BLU R1 HD。在设置电话时，他注意到不寻常的网络活动，Karygiannis先生说。根据Kryptowire报告显示，在接下来的一周，分析师注意到，手机正在向上海的服务器发送短信，并注册到Adups。

Kryptowire took its findings to the UnitedStates government. It made its report public on Tuesday.

Kryptowire将其研究结果提交给了美国政府。美国政府周二公布了其报告。

Marsha Catron, a spokeswoman for theDepartment of Homeland Security, said the agency “was recently made aware ofthe concerns discovered by Kryptowire and is working with our public and privatesector partners to identify appropriate mitigation strategies.”

国土安全局发言人Marsha Catron说，该机构最近意识到Kryptowire发现的问题，并与我们的公共和私营部门的合作伙伴一起确定适当的处理策略。

Kryptowire is a Homeland Securitycontractor but analyzed the BLU phone independent of that contract.

Kryptowire是国家安全承包商，但接了分析BLU电话的这个独立的合同。

Mr. Ohev-Zion, the BLU chief executive,said he was confident that the problem had been resolved for his customers.“Today there is no BLU device that is collecting that information,” he said.

BLU首席执行官Ohev-Zion先生说，他相信他们已经为其客户解决了这个问题。“现在已经没有收集这些信息的BLU设备了，”他说。


uwteacher colorado 18 hours ago
"...made a mistake." Really? It'sa mistake when you pick up the wrong coat or when you walk up to the wrong carafter shopping. This is not a mistake. It took hours and hours of planning andwork to implement this. This was no secret action doner by a rogue employee.This was deliberate. Mistake...right.

“犯了一个错误。”你认真的？这种事才是错误，比如你穿错了外套，或者在购物后上错了车。你这不叫错误，这花费了一个又一个小时制定计划并去实施。这不是一个淘气的员工进行的一个公开的行为。这是计划好的。居然说是错误……好吧。

Ryan Bingham Up there 18 hours ago
So Apple, about time you moved yourmanufacturing here.

苹果，是时候把你的制造产业从那儿搬走了。

Dan chicago 18 hours ago
I certainly hope our government officialsaren't using these phones. Another good reason to bring
manufacturing back to the U.S.

我希望我们的政府官员不要使用这些手机。将制造业带回美国的另一个好理由。

West Coaster Asia 18 hours ago
1. "This is a private company thatmade a mistake."
2. Adups: "all of the informationtaken from BLU customers had been destroyed."
3. "I'll call you in themorning."
This is outrageous. When are we going toban Chinese technology totally from US markets?

1. “这是一家犯了错误的私营企业。”
2. Adups:“所有从BLU客户处获得的所有信息都已经被删除了。”
3. “我早上会打电话给你。”
这真是可恶，我们什么时候能在美国市场完全禁止中国技术。

AzTraveler Phoenix 18 hours ago
Biggest lie of all; “This is a privatecompany that made a mistake,” said Lily Lim, a lawyer in Palo Alto, Calif., whorepresents Adups. It's not a mistake when it was clearly done on purpose to spyon innocent consumers.

最大的谎言; “这是一家犯了错误的私人公司，”代表Adups公司的加利福尼亚州帕洛阿尔托的律师Lily Lim说。当它存在明显是以监视无辜的消费者为目的时，这不是一个错误。

Les Bethesda, MD 18 hours ago
Ms. Lily Lim needs to change her line ofwork to comedy instead of public relations.
“This is a private company that made a mistake,” said Lily Lim, alawyer in Palo Alto, Calif., who represents Adups.
Oh sure, absolutely, I totally believethat. It was a complete accident that an engineer designed software to spy onphone users. it was an accident that this company spent money to build thisinto the phones. It was an accident that it was sending data to China.
If that isn't the most hilarious thing youread today in the news, please let me know - I just love comedy!

Lily Lim女士需要将她的工作改为演喜剧而不是公关。
“这是一家犯了错误的私人公司，”代表Adups公司的加利福尼亚州帕洛阿尔托的律师Lily Lim说。哦，真的，我真的信了。这是一个完全的事故，工程师设计的软件被用来监视手机用户。它是一个意外，这家公司花钱把它安到手机上。这是一个意外，它发送数据到中国。
如果这不是你今天在新闻中读的最搞笑的事情，请让我知道 - 我只是喜欢喜剧！

Kevin Rockledge, FL 18 hours ago
"He added that Adups had assured himthat all of the information taken from BLU customers had been destroyed."
Sure. I believe them.

他补充说，Adups向他保证，从BLU客户处获得的所有信息都已经被删除了。
当然，我信了。

Brian San Jose 18 hours ago
This was far from a simple mistake. Thiswas deliberate even if no active espionage was occurring. Chinese manufacturersshould be banned from selling technology products in the USA. And if that meansApple has to on-shore production so much the better. Time to stick it to Chinafor we have for too long kowtowed to the Mandarinsthere.
                                                                                                         
这可不是个小错误。这是故意的，及时没有间谍活动发生。中国制造商应该被禁止在美国销售技术产品。如果这意味着苹果能够国产就更好了。是时候苛刻的对待中国了，因为我们已经给那些官僚卑躬屈膝了很久。

Robert
18 hours ago
A "mistake"? A MISTAKE? Hey,Lily, this was no "mistake".

一个错误？一个错误！？嘿，lily，这可不是一个“错误”。

Harry Arendt South Windsor, CT 18 hours ago
Ok so I had been considering buying aninexpensive Chinese phone from ZTE or another manufacturer, however this takesthem off the list for forever. Clearly this again shows that Chinesemanufacturers of electronics cannot be trusted.

好吧，所以我一直在考虑从中兴或另一个制造商那里买一台便宜的中国手机，但这个事情这让他们永远离开了我的购物清单。这再次表明，中国的电子产品制造商不能信任。

Donna California 17 hours ago
"The company signs all its products,"Designed by Apple in California," but in the U.S., design is as faras Apple is willing to go. The tech giant outsources hundreds of thousands ofmanufacturing jobs to countries like Mongolia, China, Korea and Taiwan."
Hey Red-State America. How bout tellingDonald Trump to "get on it quick" and get them-there AppleManufacturing jobs back to America. Oops- he buys cheap Chinese steel.

“该公司签下了所有的产品，‘由苹果在加利福尼亚设计’，在美国，就设计而言是苹果愿意去的做的部分。这个技术巨头把数十万的制造业工作外包给蒙古，中国，韩国和台湾”。
嘿，红色美国。你给翻译翻译，唐纳德·川普说的“快速的让苹果制造工作回到美国”。糟糕，他买了便宜的中国钢铁。（和本文无关，感觉黑川普的水军）

Mark California 15 hours ago
I'm not an employee of Blackberry, but thisis a great advertisement for Blackberry.
Anyone remember them?
Blackberry has the most secure encryptionin the industry and they have no manufacturing based in China.
In the mean time, expect more"mistakes" to be found on Chinese manufactured equipment.This, plusthe DDOS attacks that crippled networks a couple weeks ago , were the result ofChinese manufactured IOT devices with similar "mistakes" in theirsoftware.

我不是黑莓的雇员，但这是一个非常好的黑莓广告。还有人记得它吗？
黑莓在手机行业中具有最安全的加密，而且他们没有位于中国的工厂。
与此同时，我预计在中国制造的设备上会发现更多的“错误”。加上几个星期前造成网络中断的DDOS攻击，是中国制造的IOT设备在其软件中具有类似“错误”的结果。
（这家伙的头像居然是64tank车的图片，不说话）

njglea is a trusted commenter Seattle 16hours ago
Is anyone really surprised by this? Myfriends say I'm crazy not to have a smart phone. I say I'm the smartest kid onthe block.

真的有人对此感到惊讶吗？我朋友说我不用智能手机简直疯了，我说我是街上最聪明的人。

George Gollin Champaign, Illinois 18 hoursago
Why should we believe anything a BLUrepresentative says?

我们为什么要相信BLU公司代表说的话啊。

KJ Tennessee 18 hours ago
Our good buddy China, at it again. Who'ssurprised?

我们的亲密伙伴中国，又来了，谁惊讶？

Sam Earth 15 hours ago
We've known for years that China puts bugsin computers, picture frames and phones. Even the Pentagon has reportedproblems. The ONLY way that this is going to stop is if we manfacture here.Yes, it will be more expensive, but what is more important: our privacy andnational security -- or paying a bit more?

我们已经知道多年来中国在电脑，相框，（相框？什么意思，求大神解释下）手机上安置后门。甚至五角大楼也报告了这个问题。唯一的办法就是在美国制造。是的，这会让我们的产品更贵，但我们的隐私及国家安全和多付一点钱哪个更重要？

pplaine Bronxville NY 10708 18 hours ago
No surprise here! Something I have beensaying in comments about China for years. The dollar is more important thancountry.

这没什么惊讶的！我在关于中国的评论中说这些很多年了。但美元比国家更重要。

Walkman is a trusted commenter LA County 17hours ago
Your cellphone,whether Apple or Android, ismade in China.

你的手机，不管是苹果还是安卓，都是中国造的。

Deep South Southern US 17 hours ago
My guess is that cell phones are just thetip of the iceberg.
Chinese companies make many of thecomponents, and full systems, for commercial corporate telephone systems. I'mwondering how secure they are, in view of this news article.                                                                                                                     
And Lenovo is very much into laptops andPCs - to what degree are those infiltrated with manufacturer software that'reports home to mama' every now and then.
I do not believe that this is a 'mistake'in any way.

我猜手机仅仅是冰山一角。
中国的公司为商业公司的电话系统制造非常多的零件以及全套系统，看看这篇文章，我真想知道他们能有多安全。
还有联想那非常多的笔记本和台式机，不时的“向你妈报告”，这得渗透软件厂家到何种程度。
不管如何我不信这仅仅是个错误。

Qev Albany, NY 13 hours ago
The phrase "digital security" isan oxymoron. Realize that, at last.

我终于发现，“数字安全”这个短语是一个矛盾的词。