Nokia 7 smartphones appear to have forwarded personal data from users earlier this year to China Telecom, a state-owned company. According to the manufacturer, this is an error that has since been resolved.
Nokia 7 Plus privacy leak discovered
The vulnerability in the Nokia 7 Plus was discovered by a reader from NRK, the Norwegian public broadcaster. His device appeared to connect several times a day to zzhc.vnet.cn, a server managed by China Telecom. The Nokia device sent a message to the server each time the device was unlocked, with information about the SIM card, IMEI numbers, and user location. This information was also sent unencrypted.
The leak was caused by ‘com.qualcomm.qti.autoregistration.apk’, an app from chipmaker Qualcomm. The app was probably intended to automatically register the device on the network of Chinese providers for users from that country.
However, why the app also appeared on European devices is unclear. Users report that the app was added later, probably with the December security update. However, in February the app was removed again with a newer security update, which means that Nokia was probably aware of the leak by that time.
Nokia response
A spokesperson for HMD Global, the parent company of Nokia smartphones, denies that it was a deliberate choice. “We analyzed the error and discovered that there was an error with the software on a single phone model that accidentally tried to send activation data to a foreign server,” said a manufacturer spokesperson. “The data has never been processed, and the information has not been shared with other companies or authorities.”
We have checked with Nokia Benelux whether private data of Dutch or Belgian users have been forwarded but has not yet received a response. The manufacturer has also not excluded whether other Nokia devices have forwarded information.
The Finnish ombudsman says he is now investigating whether Nokia has violated privacy legislation by sharing the data. If it appears that the manufacturer has intentionally shared personal information, the company may be fined. When the results of that investigation come out is unknown.