SERIES: Security Now!
DATE: September 8, 2015
TITLE: Listener Feedback 218
HOSTS: Steve Gibson & Leo Laporte
DESCRIPTION: Leo and I discuss the week's major security events and discuss questions and comments from listeners of previous episodes. We tie up loose ends, explore a wide range of topics that are too small to fill their own episode, clarify any confusion from previous installments, and present real world application notes for any of the security technologies and issues we have previously discussed.
SHOW TEASE: It's time for Security Now!. Steve Gibson is here. We are going to get some questions and answers in, finally. We'll talk a little bit about adblocking, yes, but also about the Windows Patch Tuesday. Today's the day. Security updates from a lot of vendors. And a kind of hard to believe flaw in Seagate's hard drives. It's all coming up next on Security Now!.
LEO LAPORTE: This is Security Now! with Steve Gibson, Episode 524, recorded Tuesday, September 8th, 2015: Your questions, Steve's answers, 218.
It's time for Security Now!, the show where we cover all of the security news. This is the super geeky show, frankly, on the network because we cover anything that Steve's into. And since he's a super geek, that could be anything from Vitamin D to BSD routers and everything in between, including great science fiction. Hi, Steve Gibson.
STEVE GIBSON: Hello, my friend. Great to be with you again, as you get ready to wing your way to the East Coast.
STEVE: For your meet-up. And I'll be watching this channel tomorrow as Apple unveils their next set of updates.
LEO: I don't know what I'm going to do. I guess I'll be in meetings. I can't imagine. This is an example of me being in the real world for a change. What do people in the real world do during an Apple event? Do they - seriously. I'll be at SquareSpace. We've got - we're meeting at SquareSpace, and I've got to figure they're interested in this stuff.
STEVE: Well, and because for the last 10 years you've had TWiT.tv and the TWiT Network, and you've always been surrounded by your expert panel, who are watching this stuff all happen in real-time.
LEO: First Apple event I've missed since the iPod in 2001.
STEVE: Well, we all know that it doesn't really happen until ordering time, midnight on Friday we're presuming.
LEO: Or 3:00 a.m., if you're on the East Coast.
STEVE: That's right.
LEO: Which I am. Ay ay ay. Anyway, I will watch with interest. Are you going to get the new - a new iPhone, do you think?
STEVE: I really do want it. I do. I want, I mean, I use the iPhone as my go-to device. My iPad I use more than any other computer in my life is my iPad, just my lifestyle. You know, I take it with me when I leave the house and relax when I'm having a meal and read stuff.
LEO: Would 12.9 inches be too big for you?
STEVE: Yeah, you know, I even got the mini, the latest version of the mini, and I actually returned it because I thought, eh, you know, there was something I was able to say it wasn't doing right. I don't remember now what it was.
LEO: Ten inches is just the right size for you.
STEVE: I really think, yes, the standard iPad is just fine for me. I don't know how they fix that. I don't think I need a big one. But I would love to have a stylus. I don't know why.
STEVE: But I just sort of think that's a cool thing. I've, you know, the idea of being able to jot a note or twiddle or doodle. And maybe Apple will do a good job on that, rather than giving us something that doesn't really work like they did with the Apple Watch.
LEO: One thing you can be sure is that they will not have a stylus that goes in the hole the wrong way.
LEO: I don't think Apple will do that to us.
STEVE: So we have a Q&A today since the world has been kind to us with news. We have some interesting things to talk about, but not - we're not overwhelmed so that that alone will take up the whole podcast. So we've got a bunch of great questions. Naturally, lots of stuff from our listeners following on from the discussions we've been having.
So Seagate suffered a surprising problem with a WiFi hard drive which I just - when you read - when I explain this to people, they're just going to put their head in their hands. It's like, in 2015, how can this still be happening? Adblock has released an Adblock Browser, just this morning, of course on the eve of iOS9. We'll talk about that a little bit. There was some weird belief that suddenly Chrome was trying to defeat adblocking on YouTube, which turned out to be specious. Android phones have been…
LEO: uBlock Origin works on YouTube.
STEVE: Android phones are being shipped with preinstalled malware. And I wanted a little bit of an update on…
LEO: Oh, that's convenient.
STEVE: Yeah. Users don't have to install their own.
STEVE: Yeah. And some feedback from my click-to-play recommendation. So, and then, of course, 10 great questions from our listeners. So I think we have a great podcast in store.
LEO: Jam-packed episode. And good news, my flight doesn't leave till 9:30. So plenty of time.
STEVE: Did you make it to the DMV last week?
LEO: It was - thank you. I did. It was great. In fact, it was amazing. They let you make appointments. I had an appointment for 3:15, got there at 3:10, waited in line for, like, eight minutes. I thought, oh, I'm dead, because the line was so long. But they said, no, no, you're on here. And within three minutes I was out the door.
STEVE: Nice. Wow.
LEO: But the line was three times longer than the actual stuff. It was great. Make an appointment. Steve Gibson, Leo Laporte, Security Now!. Let's get into the news.
STEVE: So our picture for the week ties into one of the questions that a listener asked about his puzzlement over glass platters because he was…
LEO: Yeah. I was puzzled, too, until I almost my eye poked out by one.
STEVE: Actually, they're really dangerous.
STEVE: If you poke around the 'Net much, there's like people saying, oh, my god, don't, you know. I guess one of the ways people are destroying drives is they're using some sort of a device to just push right through the axle of the drive, like some sort of a punch. And if you do that with more recent glass or glass-ceramic platters, which we'll be talking about later in the show when we get to this guy's question, I mean, they shatter into microscopic shards. And I saw one person saying don't ever do that over carpet, or you will never get the carpet cleaned of all of the glass that is in there. So anyway, I just saw this fun picture that showed, yeah, this is not a platter that bends.
LEO: All right. Get ready, because I'm going to show you the video of Patrick.
LEO: That's the drive. He shatters it into a million pieces. Watch, let me show you again because he just misses my eye. So he didn't know. He thought it was metal. That was a few years ago, Steve.
LEO: So this has been around for a while.
STEVE: Oh, it has. And when we come to the Q&A we'll talk about why that's the case, and actually why it's…
LEO: Why glass?
STEVE: …where we're headed in the future.
LEO: Oh, yeah.
LEO: And wear protective wear if you decide to destroy it with a hammer.
STEVE: So this is the second Tuesday of September. So we are at…
LEO: Patch Tuesday.
STEVE: Patch, thank you, Patch Tuesday. And no earth-shaking news. There were 12 update bundles, five of which Microsoft rated as critical remote code execution exploits. IE and Edge both get updates. Now, Edge, of course, now that we have another browser from Microsoft in addition to IE, it's getting critically updated also. The one worrisome thing is this so-called “graphics component,” they said, which affected Windows, Office, and Link. So that's sort of scary because that tends to be in the kernel. And if history is any teacher, just rendering a specially malformed image can be all that is needed in order to get a remote takeover.
And then Windows Journal, Office, Media Player. Hyper-V had an update that said “security feature bypass,” which is, you know, never what you want to hear in a VM manager. So I would say to all Windows users that we are Second Tuesday of the Month. Update Windows as soon as you can. I thought I saw - mine came in after I was already up and running and had Skype up. I though, oh, I'll wait till after the podcast because I run Skype on a Windows 7 machine, and so it's getting updates [crosstalk].
LEO: And I'm doing something that you would never do in a million years. I am not only running Windows 10, I'm running a beta of Windows 10. So, yes, let's see. Windows Update, yes, indeed.
STEVE: You're on the fast loop of Windows 10?
LEO: Fast, fast, yeah.
LEO: Yeah, yeah.
STEVE: So, okay. Seagate. Believe it or not. This drama began quietly, because this was responsible disclosure, back in the middle of March of this year, March 18th. A company named Tangible Security that we've never run across before, they found just a shocking problem with Seagate-generated WiFi drives. Seagate has these wireless hard drives which they sell under the Wireless Plus Mobile Storage and then just Mobile Storage names. And then La Cie - is that how you pronounce it? L-A C-I-E? They are a relabeler. Their version of the same drive is called the FUEL. So, and it may well be that others that have been OEM rebranded of the Seagate Wireless, you know, these WiFi drives could have the same problem.
Well, it turns out, it's just hard for me even to believe this, that in the firmware of this wireless hard drive they undocumented and hardcoded remote Telnet access with the default credentials of root as the username, and then the device's default password. And it's like, no, no, no, no, no. What year is this? This is 2015. So what that means is that anyone who has WiFi access to the network that this thing is on can Telnet to this wireless hard drive. Which is to say, you know, our techie listeners know that basically Telnet is a remote command prompt. It's a remote console.
LEO: Shell, yeah.
STEVE: Yeah. So…
LEO: And nobody uses it because it's insecure in itself.
STEVE: Oh, it's like, yeah.
LEO: Sending it in the clear.
STEVE: Everyone now uses SSH, which is an encrypted - it's sort of like SSH is the SSL version of Telnet. But so this is an unencrypted, in the clear, what is it, port 23, I think?
LEO: Twenty-two? Twenty-three? Yeah.
STEVE: Just sitting there, ready to, you know, accepting TCP connections. And so you give your Telnet client, and it's like, log me in as root and whatever the default password is for the device, that is, the factory password, and you get a prompt. It says, hi there.
LEO: Oh, my god.
STEVE: Well, hi there, root. What would you like to do? So…
LEO: That was obviously left in for remote patches and support and administration. But why they would leave it in the firmware…
STEVE: Well, yeah. So first of all, you would never want your root user to be called “root.” You know, at least name it gibberish. But the problem is we know this is not safe. People are going to look at the firmware, or do a port scan. You can do a port scan of your hard drive, and it's going to be answering TCP connections on the Telnet port, and then that's going to beg the question, oh, well, Telnet is - so that means that the Telnet service is running on this hard drive. Okay. Even that phrase is bad.
LEO: That means you have a daemon running on the software. Like, that's crazy.
STEVE: Yeah. Yeah, it's nuts. On a hard drive. It's like, okay. We don't want that. So anyway, the good news is there is an update. You can download it from - so what happened was Seagate was notified on March 18th. In a very short time, I was impressed with this, 12 days later, on the 30th, they replied and confirmed there were vulnerabilities. Then, unfortunately, it took a hundred days before anything happened. So this has been out there since the release of these drives. And these guys found firmware dated October 2014.
So they said: “The following devices with firmware versions 2.2.0.005 and 2.3.0.014,” they said, “dating back to October 14, are vulnerable to three” - and I've only talked about one - “three attack vectors.” And then they said: “Other firmware versions may be affected, as well.” So the takeaway here is, if you have Seagate WiFi hard drives, you want to go and update your firmware.
So the first of the three was their use of hard-coded credentials to give a Telnet user root access to the drive. And these guys wrote: “The affected device firmware contains undocumented Telnet services accessible by using the default credentials of 'root' as the username and the default password. An attacker can covertly take control of the device, not only compromising the confidentiality of files stored on it, but use it as a platform to conduct malicious operations beyond the device.” Because of course they can download and run any other services that they want to. I mean, this is just unbelievable. Okay. Second problem, that they called direct request, “forced browsing.”
LEO: Wait a minute. There's another one?
STEVE: Oh, there's two more. Yeah.
LEO: What a mess.
STEVE: I know. “The affected device firmware provides unrestricted file download capability. Attackers can gain access to all files stored in affected devices.” This is through some other undisclosed mechanism other than this Telnet problem. So “The affected device firmware provides unrestricted file download capability,” meaning that there's no security, basically. “Attackers can gain access to all files stored in affected devices. This vulnerability requires attackers to be within range of the device's wireless network.”
Well, yeah, because it's a WiFi device. So maybe that means - so that wasn't a limitation on the Telnet access. So this may be different. This, for example, maybe it's not routable through the border router. Again, we're scant on details because they're not wanting to talk about this until everybody gets this fixed. And right now, this just happened. So right now nobody has this fixed.
And third, unrestricted upload of file of dangerous types. “The affected device firmware provides a file upload capability to the device's /media/sda2 file system, which is reserved for filesharing. This vulnerability requires attackers also to be within range of the device's wireless network in order to upload files to it. If such files were maliciously crafted, they could compromise other endpoints when the files are opened.” So, wow. About as bad as it gets.
Just, again, like here's Seagate, a company with a great reputation. On the other hand, we do know that many of these high-profile companies are getting their firmware from third parties in the same way that TP LINK made the hardware for Google's OnHub.
LEO: It also could be a reference platform that they left that in for remote updates…
STEVE: We've seen that.
LEO: …of the software, and you're supposed to take it out before you ship, and…
STEVE: Yes. I mean, how hard is it to stop a service from running on boot in Linux?
STEVE: I mean, it's like not. You just don't. So it's like they shipped it by mistake and left the Telnet service running.
LEO: And of course there is one way it could be worse, if Hillary Clinton used it for her email server. Then we know. Then we know we got “trouble right here in River City.”
STEVE: In River City, yes. Okay. So in an odd piece of news on today, Tuesday, the day before the Apple iOS9 announcement, where one of the major announcements is, I mean, that's making just as much news as the gossip and rumors for what next hardware they're going to be producing, is the addition in iOS9 to Safari, the default browser, of course, of hooks which will allow adblocking extensions to be created. And we know that there's already one called Crystal, which is highly anticipated for Safari, and uBlock.
I have seen nothing from Raymond and his branch, uBlock Origin. But Chris, the guy who's maintaining the unbranched or unforked uBlock, has announced that he will have a Safari version of uBlock, which is fundamentally the same as uBlock Origin, available soon. So apparently the Adblock Plus people, or the Adblock people, they're a company called Eyeo, E-Y-E-O, which sounds like a nursery rhyme.
LEO: And we're so close.
LEO: If it had just been EIEIO, we could have really loved it.
STEVE: Exactly. And everybody could have remembered it. And in fact you need that because, if you look for using Apple's horrific search in the App Store, I just can't…
LEO: Oh, yeah. Can't find anything, yeah.
STEVE: Every time I go looking for something I think, how can you not have figured out search? Something like that everybody else, especially your major competitor in the world, has nailed search, but you can't do search in an App Store.
STEVE: Anyway, it's not easy to find this. There are many things called Adblock. So you need to look for “adblock browser from EIEIO.” No, “from Eyeo.”
LEO: Now you're really confusing everybody.
STEVE: That's the one you want. And just for the hell…
LEO: Is that the best one, not Crystal? Because people have been talking a lot about Crystal.
STEVE: I would wait.
STEVE: I'm talking about it because it's there today. We're thinking, what, it may be like two weeks before we can actually add adblocking to iOS. So today, if anyone wanted to experiment with it, the Adblock Browser, I downloaded it this morning so that I could talk about it.
LEO: Eyeo is Adblock Plus.
STEVE: Yes, Adblock Plus.
LEO: Plus. That's not the same as Adblock.
STEVE: And so…
LEO: That's these guys.
STEVE: Yeah. So, yeah, there it is. That's the one. You want - well, wait. Is it from Eyeo?
LEO: Yes, from E-Y-E-O. Adblock Plus.
LEO: And this one's GPLed and open source. This is not the company that's selling - or is it the company that - I get so confused.
STEVE: Okay, now, no. You're looking for a browser. So you go…
LEO: No, no. I know. But this is the Adblock Plus company. Yeah, yeah, yeah.
STEVE: Oh, correct, correct, yes.
STEVE: And so in the App Store it's Adblock Browser. And the icon, it sort of looks like the globe, the world globe is wearing a jaunty little stop sign hat because it's sort of off to an angle, because the Adblock logo is the red stop sign. And so they've sort of got - it's got half a stop sign and half of the globe is the logo. So that's the one you want. And I loaded it, and it works just fine. It uses their EasyList, which is the ad server list that they curate. Yup.
LEO: There's the logo. It is jaunty.
STEVE: Yeah, it's a little jaunty little…
LEO: I think it's a stop sign, but I…
LEO: Does look like a jaunty little hat, yes.
STEVE: Yeah, it's meant to be a stop sign. And so we have that today for iPhone and iPad. And there are some features, you're going to want to dig through the menu because they, by default, they block ad servers using their EasyList. And of course that's the one that everybody else clones. I mean, because it's publicly available. So, for example, uBlock sucks that down, uBlock Origin sucks that down, because it's a great, curated, very up-to-date list of ad servers. But under More Blocking Options, which are all turned off by default, they have Disable Tracking is off.
And I note, Leo, that every time you have brought up, and you've been talking about on your other podcasts the pending Adpocalypse, you know, like what's going to happen when Safari adds this to mobile, makes it so easy for users to do this. And invariably one or two of your talking head guests will not, like, I don't really mind ads, I just get creeped out by tracking. And that's how I feel, too. It's the tracking which we don't see. The ads are like the part of the iceberg that's above water. And tracking is, like, way bigger in terms of what annoys people, the idea that, in fact, one of your guests on Sunday on TWiT, two days ago, said that he was a little creeped out when he, like, left one site and went to a different site, yet the ads that he then saw sort of followed him, like from what he'd been doing over to where he was.
And he said, “That creeps me out.” He said, “I'd rather have random ads and not have it so obvious that something is following me around the Internet.” So under More Blocking Options for this Adblock Browser, Disable Tracking you need to turn on. Disable Malware Domains is off by default. Turn it on. Why would have that off? So turn that on. Disable Social Media Buttons. I would say yes because that's of course a big - and that's how Facebook tracks people all over the place is all those little Like buttons everywhere. That's sending a ping for your cookie, your Facebook cookie, back to Facebook so they know where you are. So Disable Social Media Buttons. Turn that on.
And then the fourth one I deliberately left off, and that's Disable Anti-Adblocking Messages. And that's because I want to know if a site is unhappy that I have an adblocker because, I mean, I want to support the sites that I visit. I just don't want to get - I don't want to be tracked, and I don't want to get infected with malware in return for seeing ads I'm not going to click on and don't care about. So anyway, dig around in here. There is, you know, the whole Adblock Plus deal is their so-called “nonintrusive ads.” And so the other option is Acceptable Ads, and they say “Allow some nonintrusive ads.” And that's on by default because that's their - that's Adblock's own monetization model, which has been very controversial.
LEO: Yeah, undermining everybody else's monetization model.
STEVE: Yeah. And Google and Microsoft and other major players have paid Adblock for exceptions to their EasyList list. And so what this says is, no, no exceptions. I want full blocking. I don't want to accept your monetization model because that's not mine. So anyway, we do have this Adblock browser available today. And it'll be interesting to see how it goes. Ultimately, I think that what we're going to see is people, I mean, I want uBlock. I want uBlock on Safari. I mean, I'm still using Safari as my default browser on my iOS devices, even though it would be easier to use the LastPass Tab Browser. I just sort of like using the native…
STEVE: You know, the one that comes with it. To me that feels better. And so I'll definitely be - and we'll be covering the extensions that are available for iOS9 as soon as iOS9 becomes available to us.
LEO: This is available for Android, too, the Adblock Browser.
STEVE: Yes, good. I'm glad you mentioned that.
LEO: In most cases what they're doing is they're basically using the facilities of the built-in browser at WebKit or whatever, and just kind of…
STEVE: Oh, yeah. They're not writing a browser from scratch.
LEO: They're skinning it.
STEVE: Right. They're not writing a browser from scratch. And in fact in this case they didn't. There's something called - it wasn't WebKit. It was something kit that these guys used as the armature for their add-on. And of course the fact that this is now in the Play Store is kind of big news because…
LEO: Apple's turned this off before; right?
STEVE: Well, it was Google.
LEO: Oh, Google did.
STEVE: What happened was Adblock Plus tried to do this in the middle of March, and Google rejected them and kicked them out of the Play Store. The EFF got all huffy about it and did a posting at the time saying “Google takes the dark path, censors Adblock Plus on Android.” And EFF wrote: “In a shocking move” - okay, well, I don't know why anyone would…
STEVE: Shocking. Google…
LEO: [Indiscernible] going on.
STEVE: “Google has recently deleted Adblock Plus from the Android Play Store. “This is hugely disappointing,” wrote the EFF back in March, “because it demonstrates that Google is willing to censor software and abandon its support for open platforms as soon as there's an ad-related business reason for doing so.” And then they said: “Google's stated reason for the ban is that the Android app allegedly 'interferes with or accesses another service or product in an unauthorized manner.” Which, you know, is corporate legal speak for nothing. You know, we didn't like…
LEO: But doesn't Google actually pay Adblock Plus to be part of this?
STEVE: Yes, they're one of the people…
LEO: So confusing.
STEVE: …that sponsor Adblock Plus. Yeah. So anyway, so it'll be interesting to see how this goes. I did run across an interesting site when I was digging into this. And I think it's called - I just tweeted about it. It's Fair Play? No, Fair Page. It's either Fair Page or…
LEO: PageFair. Yeah, yeah.
LEO: These are the guys who said, as it turns out maybe somewhat inflatedly, that $21 billion would be lost.
STEVE: Yes, 22 I think is their number.
LEO: Yeah, in this year to ad blocking.
STEVE: Yeah. And what was so interesting is I spent, in fact, I was using the Adblock Browser to browse their site. I thought, okay, this'll give it to them. Check out this user-agent, suckers. And I went through their FAQ because I was just sort of curious, I mean, I'm really wanting to understand the ecosystem of this a bit better. And so their blog is a series of closed but expandable, you know, click-plus-to-open-this questions that they've asked themselves and then answered. And you go through the entire thing, no mention anywhere about tracking. I mean, it was really very fair. Because of course they sort of have a different model.
Their deal is that websites can sign up with them to find out how much money they're losing somehow. That is, so they put some instrumentation on a website which will be adblocker sensitive. It'll be blocked by adblockers. And so, and then they must have some other instrumentation that isn't so they can look at the delta of what got blocked and what was allowed and tell sites how much revenue is being lost. And then they apparently sell sites a service which provides the message that, oh, this site is ad-supported, which appears if you visit the site with an adblocker running, to make the explanation and the plea for turning off your adblocker. So that's sort of their angle.
But they really do a nice job in the FAQ of explaining all of this, except nowhere, nowhere is the elephant in the room, which is the tracking. That's the part that people, from everything I have heard, and like listening to your other podcasts, that's what upsets people. Not the ads as much as the idea that we know that they're trying to monetize us by profiling. And so if there was a stop tracking, but, you know, okay, then that would be a different thing. But nowhere does that get mentioned on this otherwise very complete page. So I thought, yeah, that's interesting, you know, they're not talking about that at all.
So there was some what turned out to be specious news that - and, I mean, there was a lot of talk about this, some buzz in the last couple days, that people were seeing Chrome and the YouTube app for Chrome not blocking ads, even though customers had adblockers. And so first there was the conspiracy theory that, look, oh, look, here it is, this is what we were waiting for, that Chrome had modified itself to defeat the adblocking extensions to allow its own properties not to have ads blocked.
Well, it turns out, just count to 10, and then we'll get an answer. And the answer was there was a mistake. It was introduced by a security fix which at the time was not public. Issue 510802 is a security mistake that said webRequest API allows intercepting XHR from apps and extensions. So XHR is the XML HTTP request API, which is the - it's the whole Java dynamic web API that allows pages to make requests back to their parent server to create updated content on the fly. For example, Gmail is a heavy user of that. Sort of the next-gen of web is doing all of this.
So there was a security problem, and the fix broke an aspect of the signaling which goes to web extensions - and this also ties into a question that we'll be getting to later - because there's an API called chrome.webRequest.onBeforeRequest, and extensions can register themselves to receive that signal. And as it sounds, it's on before request, meaning send me a message containing the details of a browser request before the browser acts on it. And that allows the extension to examine it and go, eh, no. And based on whether that extension returns true or false, if it returns false, then that request is aborted at that point, and it doesn't go any further.
So what was happening was in a really sort of flaky way some people were seeing this, they were being affected by it; others were not. So it's been fixed. And it may still be in the wild, that is, it may be fixed in internal builds and not yet pushed out. But for any of our listeners who hear about this or may experience it, it's just a mistake that Chrome made, the Chromium project made, and they're in the process of getting it fixed. It's not an exception that Google has made for Chrome that allows them special adblocking circumvention that other browsers or users don't have.
And then the news that, from a German-based cybersecurity firm, G Data, and you may want to bring up - let's see, there's a PDF that I link to lower on the next page of the show notes, Leo, because I've got a couple pictures in the notes. But what they have found, they've done a survey of Android malware, Android smartphone malware. And they have seen a 75% increase in what they call “preinstalled malware” during the past six months. Now, it takes a little bit of digging, but it turns out that all of this is coming from third parties somewhere between the originating manufacturer and the end user. That is, if you buy, sort of on the gray market, if you buy not from someone like a major retailer, like an Amazon or any of the major cell phone carriers directly, but if you get it on eBay from some remarketer person, that seems to be where this is coming from. So they did single out three different manufactures: Huawei, and I guess is it pronounced Xiaomi?
STEVE: Xiaomi. Which I've heard, of course, but I never saw in writing, Xiaomi.
LEO: Xiao is little, I think.
STEVE: Xiaomi. So, yes, so I now know how to pronounce Huawei.
LEO: Huawei, yeah.
STEVE: Now I know how to pronounce - well, I thought I did.
LEO: You're close enough.
LEO: You know, no one knows how to pronounce it. We're all making it up.
STEVE: And Xiaomi. And unfortunately, Lenovo is also - has made the hit parade in this case. But it turns out there's many more. There's a ton of models of Alps Android phones, the A24, 809T, the H9001, the 2206, the PrimuxZeta, the N3, and the ZP100, the Alps 709, the GQ2002 - I don't think I'd buy an Alps phone. There's an Android P8, and then - and it goes on and on. I have all of these in the show notes. There's also the SESONN phones seem to be frequent targets of these.
They said 25 or 26 different smartphone units were discovered to be carrying malicious software before the consumer acquires the device. And the nature of this is unfortunately a little bit stomach-turning. This is infected firmware which knows how to infect the Facebook app and Google's Google Drive app so that, when users install them, if they're not preinstalled, then this firmware is able to reach up and alter the running apps in order to infect them with spyware, and in some cases adware.
So anyway, again, this has been in the news just - it just hit the news. The good news is this is not coming from the original manufacturers of these. Those phones are all clear and clean. It only appears to be when it goes through a third party, sort of the gray market, that these little goodies are being installed.
LEO: Yes. And I can promise you, nobody in the United States who's listening has ever heard of any of these Android phones. These are cheap phones sold in the Third World. I mean, and if you buy a phone, used phone, be careful. But these are - none of these. Do you recognize any of those names? No.
STEVE: No, no.
LEO: No. This is not a Samsung Galaxy S6 we're talking about here. This is the P8.
STEVE: Well, and so these are the reason that total smartphone sales or total Android platform is just huge numbers. But it's a large number of them are these wacky, no one's ever heard of them, off-brand phones.
LEO: Yeah, not sold in the U.S.
LEO: And, no, you're safe if you buy from Motorola or Samsung or LG.
STEVE: Right, right.
LEO: They're fine.