Published Date: 2016-11-15
| Postmortem Analysis | |
|---|---|
| Timeline | 1. The software failure incident mentioned in Article 49741 happened in November 2016. [49741] 2. The software failure incident mentioned in Article 61882 happened in November 2016. [61882] 3. The software failure incident mentioned in Article 71032 happened in 2016. [71032] 4. The software failure incident mentioned in Article 94612 happened in 2020. [94612] |
| System | 1. UMX U686CL Android-based phone - Chinese malware pre-installed apps [94612] 2. Blu phones - Preinstalled software from Shanghai Adups Technology sending data to Chinese servers [71032, 61882, 49741] |
| Responsible Organization | 1. Chinese company Shanghai Adups Technology was responsible for causing the software failure incident by preinstalling software on phones that sent user data to Chinese servers without user consent [94612, 71032, 61882, 49741]. 2. Phone manufacturers like BLU Products were also responsible for the incident as they used the software provided by Adups without fully understanding its capabilities and implications [71032, 61882, 49741]. |
| Impacted Organization | 1. Low-income families receiving phones via a US government scheme [94612] 2. Users of low-priced phones sold on Amazon [71032, 61882] 3. International customers and users of disposable or prepaid phones [49741] |
| Software Causes | 1. Pre-installed Chinese malware on budget phones, such as the UMX U686CL, transmitting data to Chinese servers without user consent [94612]. 2. Pre-installed software from Shanghai Adups Technology on phones like Blu's devices, sending personal data including text messages, contact lists, and locations to servers in China [71032, 61882, 49741]. |
| Non-software Causes | unknown |
| Impacts | 1. The software failure incident involving pre-installed Chinese malware on budget phones provided through a US government scheme led to the compromise of user data, including text, call-location, and app data being transmitted to a Chinese server every 72 hours [94612]. 2. The incident resulted in a settlement between the company behind the affected phones and the US Federal Trade Commission, requiring a security plan for all devices, third-party checks every two years, and prohibition from misleading the public about privacy protection [71032]. 3. The software failure incident raised concerns about privacy and security, with the affected phones sending private data to China without user consent, potentially leading to a breach of trust and privacy for millions of users [61882]. 4. The software failure incident highlighted the issue of data tracking and surveillance on consumer electronics, with the pre-installed software designed to monitor user behavior without disclosure to users, potentially compromising privacy [49741]. |
| Preventions | 1. Conducting thorough security assessments and audits of pre-installed software on devices before distributing them to consumers could have prevented the software failure incident [94612, 71032, 61882, 49741]. 2. Implementing strict privacy policies and transparency regarding data collection practices by companies providing pre-installed software on devices could have helped prevent the incident [71032, 61882, 49741]. 3. Ensuring that firmware updates and software functionalities are clearly disclosed to users, even if buried in legal documentation, could have prevented the incident [49741]. 4. Regular monitoring and oversight of software behavior, especially in relation to data transmission and user privacy, could have detected and prevented the unauthorized data collection [61882, 49741]. 5. Collaboration between security firms, government agencies, and technology companies to identify and address potential security vulnerabilities in software could have prevented the incident [49741]. |
| Fixes | 1. Implementing a security plan regarding security risks with all devices, both new and old, and undergoing third-party checks every two years for the next 20 years [Article 71032]. 2. Updating the software to eliminate the feature that sends data to Chinese servers and ensuring that the surveillance is disclosed to users [Article 49741]. 3. Removing the pre-installed apps containing malware and ensuring that such apps are not automatically installing additional apps without user consent [Article 94612]. | References | 1. Security company Malwarebytes [94612] 2. US Federal Trade Commission (FTC) [71032] 3. Security firm Kryptowire [61882, 49741] 4. Shanghai Adups Technology [71032, 61882, 49741] 5. Blu Products [71032, 49741] 6. Department of Homeland Security [49741] |
| Category | Option | Rationale |
|---|---|---|
| Recurring | one_organization, multiple_organization | (a) In the articles, it is reported that the company BLU Products had a software failure incident related to privacy practices involving sending personal data to servers in China [71032]. The incident occurred in 2016 when security researchers discovered that BLU phones were sending personal data to Chinese servers without user consent. Despite BLU updating the software to fix the issue, the same security researchers found that the phones were still sending data to China [71032]. (b) The software failure incident involving sending data to Chinese servers has not been limited to BLU Products alone. Another article reports a similar incident involving a Chinese company called Shanghai Adups Technology, which provided software to multiple phone manufacturers, including ZTE and Huawei [49741]. The Adups software was found to be sending user data to a Chinese server without disclosure to users. This incident highlights a broader issue of privacy breaches in low-cost Android devices, affecting millions of users [49741, 61882]. |
| Phase (Design/Operation) | design, operation | (a) In the software failure incident related to the Chinese malware pre-installed on budget phones offered through a US government scheme [94612], the failure can be attributed to the design phase. The incident involved pre-installed apps on the UMX U686CL phone that were identified as malicious, with one app automatically installing more apps without user consent and transmitting data to a Chinese server. This indicates a failure in the design phase where the system development and procedures to operate the phone allowed for the introduction of malware without user consent. (b) In the software failure incident involving Blu phones sending personal data to servers in China [71032, 61882, 49741], the failure can be linked to the operation phase. The phones were found to be sending private data without alerting users to Chinese servers, indicating a failure in the operation or misuse of the system. Despite promises to update the software to fix the issue, the phones were still found to be siphoning off data, highlighting a failure in the operational aspects of ensuring user privacy and data security. |
| Boundary (Internal/External) | within_system | (a) within_system: The software failure incidents reported in the articles are primarily related to pre-installed software on budget phones, such as the UMX U686CL and BLU phones, that were sending user data to servers in China without user consent [94612, 71032, 61882, 49741]. These incidents were caused by the intentional design of the software by companies like Shanghai Adups Technology to monitor user behavior and collect data without disclosure to users. The software was preinstalled on the phones and could not be easily removed, leading to concerns about privacy and security breaches originating from within the system itself. The failure was due to the malicious behavior of the pre-installed software rather than external factors. |
| Nature (Human/Non-human) | non-human_actions, human_actions | (a) The software failure incident occurring due to non-human actions: - In the incidents reported in the articles, the software failures were primarily due to pre-installed software or firmware on Android phones that were designed to monitor user behavior and send data to servers in China without user consent [94612, 71032, 61882, 49741]. - The software from companies like Shanghai Adups Technology was responsible for sending personal data, including text messages, contact lists, locations, and other data, to Chinese servers without alerting users [71032, 61882, 49741]. - The software was designed to help a Chinese phone manufacturer monitor user behavior and was not intended for American phones, leading to a breach of privacy and trust [49741]. (b) The software failure incident occurring due to human actions: - Human actions contributed to the software failures in terms of the intentional design of the software by companies like Adups to collect and transmit user data without disclosure [49741]. - The lack of transparency and disclosure by the companies involved, as well as the failure to inform consumers about the data collection practices, were human actions that led to the software failures [71032, 61882, 49741]. - The involvement of companies in requesting such software functionalities for monitoring user behavior and data collection also points to human actions contributing to the software failures [49741]. |
| Dimension (Hardware/Software) | software | (a) The software failure incident occurring due to hardware: - There is no specific mention of the software failure incident in the provided articles being attributed to hardware issues. Therefore, it is unknown if the incident was related to hardware failures. (b) The software failure incident occurring due to software: - The software failure incidents reported in the articles are primarily attributed to software issues. Specifically, the incidents involve pre-installed software on budget phones sending data to Chinese servers without user consent [94612], [71032], [61882], [49741]. These incidents highlight how the software, particularly the pre-installed firmware and apps, was designed to monitor user behavior and send sensitive data to servers in China, leading to privacy and security concerns. |
| Objective (Malicious/Non-malicious) | malicious | (a) The software failure incidents described in the articles are related to malicious activities. Malware was pre-installed on budget phones, such as the UMX U686CL and Blu phones, with the intent to harm the users' privacy and security [94612, 71032, 61882, 49741]. The malware, including the Adups software, was designed to secretly collect and transmit sensitive user data, such as text messages, call logs, location information, and more, to servers in China without user consent. This malicious behavior was intentional and not disclosed to users, indicating a clear intent to harm the system and compromise user privacy. |
| Intent (Poor/Accidental Decisions) | poor_decisions, accidental_decisions | (a) The intent of the software failure incident related to poor decisions can be seen in the articles. In Article 94612, it is mentioned that the pre-installed apps on the UMX U686CL phone were found to be malicious, with one app automatically installing more apps without user consent and transmitting data to a Chinese server every 72 hours. This indicates a deliberate decision to include harmful software on the device, leading to a software failure incident [94612]. (b) The intent of the software failure incident related to accidental decisions is evident in the articles as well. In Article 49741, it is highlighted that the preinstalled software in some Android phones, provided by Shanghai Adups Technology Company, was monitoring user behavior and sending data to a Chinese server without user knowledge. The company claimed it was a mistake and not intended for American phones, indicating an accidental decision that led to the software failure incident [49741]. |
| Capability (Incompetence/Accidental) | development_incompetence, accidental | (a) In the software failure incident related to the Chinese malware found on budget phones provided through a US government scheme [94612], it was reported that the pre-installed apps on the phone were malicious, with one app automatically installing more apps without user consent. The incident involved a Chinese company manufacturing the Android-based phone, and the malware transmitted sensitive data to a Chinese server every 72 hours. This incident could be attributed to development incompetence as the pre-installed apps contained malware and were not removable, indicating a lack of professional competence in ensuring the security and integrity of the software. (b) The software failure incident involving Blu phones sending personal data to servers in China [71032, 61882, 49741] was described as a mistake by the Florida-based company Blu, which used preinstalled software from Shanghai Adups Technology. Despite efforts to update the software to fix the issue, it was found that the phones were still sending data to Chinese servers. This incident could be categorized as accidental, as it was initially termed a mistake by the software provider Adups, and the surveillance was not disclosed to users, indicating unintentional data collection and transmission. |
| Duration | permanent | (a) The software failure incident described in the articles seems to be more of a permanent failure rather than a temporary one. The incidents involving the pre-installed software from Shanghai Adups Technology on various low-priced phones, such as BLU and UMX U686CL, show a pattern of intentional design to monitor user behavior and send data to Chinese servers without user consent [49741, 61882, 71032, 94612]. Despite some claims of resolving the issues, security researchers found that the data tracking and transmission continued even after assurances from the companies involved [71032, 61882]. The fact that the software was intentionally designed for surveillance purposes and continued to operate in a secretive manner on multiple devices indicates a more permanent and intentional nature of the failure. |
| Behaviour | omission, value, other | (a) crash: The articles do not mention any instances of system crashes as a result of the software failure incidents. (b) omission: The software failure incidents mentioned in the articles involve the system omitting to perform its intended functions at instances. For example, the software on the Blu phones was found to be secretly sending private data to servers in China without alerting users [71032]. Similarly, the Adups software transmitted the full contents of text messages, contact lists, call logs, location information, and other data to a Chinese server without disclosing the surveillance to users [49741]. (c) timing: The articles do not mention any instances of timing-related failures where the system performed its intended functions but at incorrect times. (d) value: The software failure incidents described in the articles involve the system performing its intended functions incorrectly. For instance, the Adups software on Android phones was intentionally designed to monitor user behavior without user consent [49741]. Additionally, the pre-installed apps on the UMX U686CL phone automatically installed more apps without user consent, transmitting data to a Chinese server [94612]. (e) byzantine: The articles do not mention any instances of the system behaving erroneously with inconsistent responses and interactions. (f) other: The other behavior observed in the software failure incidents is the intentional design of the software to perform surveillance and data tracking without user knowledge or consent, leading to privacy breaches and data transmission to external servers [49741, 71032, 61882, 94612]. |
| Layer | Option | Rationale |
|---|---|---|
| Perception | None | None |
| Communication | None | None |
| Application | None | None |
| Category | Option | Rationale |
|---|---|---|
| Consequence | property | (d) property: People's material goods, money, or data was impacted due to the software failure The software failure incidents described in the articles led to the compromise of personal data and privacy of users. The pre-installed software on phones, such as the UMX U686CL and BLU phones, were found to be sending personal data, including text messages, contact lists, call logs, and location information, to servers in China without user consent [94612, 71032, 61882, 49741]. This breach of privacy and data security can be considered as an impact on people's property in terms of their personal information being compromised. |
| Domain | information | (a) The software failure incident reported in the articles is related to the industry of information. The incident involves pre-installed software on mobile phones sending personal data, including text messages, contact lists, and locations, to servers in China without user consent [Article 71032]. (b) The incident is not directly related to the transportation industry. (c) The incident is not directly related to the extraction of natural resources. (d) The incident is not directly related to the sales industry. (e) The incident is not directly related to the construction industry. (f) The incident is not directly related to the manufacturing industry. (g) The incident is not directly related to the utilities industry. (h) The incident is not directly related to the finance industry. (i) The incident is not directly related to the knowledge industry. (j) The incident is not directly related to the health industry. (k) The incident is not directly related to the entertainment industry. (l) The incident is not directly related to the government industry. (m) The software failure incident is related to the industry of telecommunications and mobile devices, specifically involving the distribution and usage of budget phones with pre-installed malware [Article 94612, Article 71032, Article 61882, Article 49741]. |
Article ID: 94612
Article ID: 71032
Article ID: 61882
Article ID: 49741