Down on the Baidu

Today, the Citizen Lab is releasing a new report, “Baidu’s and Don’ts: Privacy and Security Issues in Baidu Browser.”

The report is the result of many weeks of careful analysis, led by Citizen Lab security researcher Jeffrey Knockel and co-authors Adam Senft and Sarah McKune and is part of Citizen Lab’s interest in analyzing the privacy and security issues involved with popular mobile applications.

Reuters has an exclusive story on the report here:

The report takes a close look at Baidu Browser, a popular China-based mobile application that is available in Windows and Android versions. What we found was very troubling.

Baidu Browser collects and transmits a lot of personal user data back to Baidu servers that we believe goes far beyond what should be collected, and it does so either without encryption, or with easily decryptable encryption. Data collected and transmitted in the Android version without any encryption includes a user’s GPS coordinates, search terms, and URLs visited. The user’s IMEI and nearby wireless networks are sent with easily decryptable encryption. Meanwhile, the Windows version sends search terms, hard drive serial number, network MAC address, title of all webpages visited and GPU model number.

That is a a lot of fine-grained personally-identifiable information about what a user is doing, where they are located, and their device.  Hard drive serial number? Really? What does the manufacturer of a mobile browser application need to know about the hard drive serial number of your device? Sending all of that information in the clear is a big problem too because it means anyone who operates any of the networks over which communication takes place (e.g., wifi, cell, ISP, telco providers) can see and log it too (more on that below).

We also found neither the Windows nor the Android version of Baidu Browser protect software updates with code signatures, meaning an in-path malicious actor could cause the application to download and execute arbitrary code.

What does that risk represent in real terms? Say you had Baidu Browser loaded on your mobile device and you connected to a wifi hotspot controlled by a criminal, spy, or some other nefarious group, maybe at a conference hotel, a coffee shop, or an airport. People with access to those networks would have been able to send malware to your phone disguised as a Baidu update and take over your phone and do anything they want with it. (Thankfully, it appears this issue has now been fixed by Baidu after our security disclosure).

On a methodological level, the findings show the value of reverse engineering – a method that is under pressure as companies get more and more litigious and copyright laws more stringent around just what individuals can do with devices and applications.  I have repeatedly argued that “lifting the lid” on the Internet is not only interesting from a research perspective, it is also a civic responsibility.  Of course not everyone can “lift the lid” on the Internet.  It requires a lot of skill of the sort Citizen Lab security researcher Jeffrey Knockel has, and which this report demonstrates.

After the last few reports where reverse engineering has figured prominently, I would like to propose a new rule: the more you take popular applications apart, the more scary the findings.

There are also some interesting lessons around the responsible disclosure process we undertook around this report (which is detailed in the report itself). We gave the company 45 days to address the issues, and then extended that deadline at their request. Baidu security engineers were very responsive, for the most part, and took our concerns very seriously.  We sent them questions prior to the report’s release, and Baidu’s International Communications Office sent back their reply, which we published here.

However, Baidu’s “fixes,” while correcting some critical problems, actually appear to have made some other things worse, and there are still some serious questions lingering about why they collect such highly invasive data about their users in the first place (about which the company feels it cannot transparently comment).

Of course, that Baidu is made in China and most of its users are there should raise alarm bells. China requires local companies like Baidu to retain and share user data without much of any kind of due process, transparency, or public accountability.  Did Baidu build their browser to hoover up all of this personal information at the request of the Chinese authorities? Did they do it for commercial reasons? Did they do it because of over zealous engineering choices?

In a way, it doesn’t matter. Whether poor design, or surveillance by design, it is the same effect: users are at risk.

The report also illustrates a series of larger concerns related to the multiplication of applications, devices, and “things” that are connected to each other and the Internet, and which follow us around relentlessly.  Insofar as applications such as these leak personally identifiable information, they become attractive targets for state intelligence agencies and other threat actors.  We know this from the Snowden disclosures and comments made by senior intelligence officials.  And you can bet if the FVEYs see it this way, other lower-tier countries and threat actors will do so eventually (if they are not already). Seemingly trivial bits of data leaked out that connect back to users become a very convenient “hook” or “selector” for intelligence analysts. With that IMEI number or serial number in hand, an analyst can go back in time and make connections with other individuals, places, points of data, or events that can be seriously incriminating.That may not matter to everyone who feels they have “nothing to hide” (although even in those cases people should still worry about crime, identity theft, etc.), but it can affect high risk users in life threatening ways.

All of this research underscores a pretty scary scenario we’re heading into, illustrated by one of the most remarkable aspects of the findings.   We discovered the software development kit at the heart of the Baidu Browser issue happens to be repurposed and employed in thousands of other applications developed by Baidu and third parties, affecting potentially hundreds of millions of users. Yes, hundreds of millions of potential users. Thousands of other applications, many of them available on the Google Play Store outside of China, and some of which have been installed hundreds of millions of times, contain the same flaws, and are sending back the same detailed information, to Baidu servers.

That means there is major collateral damage of the problems we identify that go well beyond Baidu browser, and beyond China.  This finding offers another reminder that the flaws in small but important chunks of code can ripple far and wide in the ecosystem of interconnected applications and devices (e.g., the Heartbleed OpenSSL case).

Read the full report here: