Nokia Phones Accidentally Sent Sensitive User Data To China
As per reports, it was detected that multiple units of Nokia 7 Plus were inadvertently sending sensitive information to a server located in China. A lot of concerns were raised regarding the same. As per the General Data Protection Regulation (GDPR), data cannot be used beyond the limits of what users think is the appropriate limit, or else companies can face serious consequences.
About The Data Packet
Reports state that sensitive data was being sent to a Chinese domain whenever the device was being switched on or being unlocked. The transferred data included the SIM card number, geographical location and the device’s serial number. Interestingly, the domain name of the Chinese server was vnet.cn, which refer to the China Internet Network Information Center, or CNNIC. The aforementioned domain is owned by the state-run Chinese Telecom operator.
When the data packet was inspected in detail, it was revealed that the information contains data from both the SIM card and the area it was associated with. This meant that the recipients of the data packet would have been able to geotag the real-time location of the device. Furthermore, sources say that they found a resembling piece of code on Github, which was developed by reputed electronics company, Qualcomm. It contained a registration procedure similar to what was executed in the Nokia 7 Plus. The code gathers data regarding the smartphone and transfers all the data in a similar format to the designated server.
The incident may have been caused due to an error in manufacturing smartphones. A code segment intended for the Chinese variants of the Nokia 7 Plus might have been installed in the Norweigan variants for the same. Shortly after this incident, HMD Global rolled out a firmware update that deleted the China-based application from Nokia smartphones. Finnish data regulators are now considering starting a full-scale investigation of the events that took place. Stating that the SIM card number and serial numbers are indeed personal information, the agency believes that this incident may be a direct violation of the GDPR legislation.