HMD: Nokia 7 Plus phones send device activation data to a third party server due to software error

A non-Chinese user who has a Nokia mobile phone recently found that the mobile phone will send unencrypted data packets to the domain name http://zzhc.vnet.cn. The data includes geographic location, IMEI, SIM card number, and MACID. The registrant of the vnet.cn domain name is CNNIC, but CNNIC said it actually belongs to China Telecom. In response to this, HMD responded to the official blog, saying that this was due to a firmware error and that the firmware has been removed from the firmware update.

HMD Global said that only a single batch of Nokia 7 Plus devices was affected, including software packages that send data to China Telecom servers. This package collects user data and sends it to the Chinese server when the phone is unlocked.

HMD official response is as follows

HMD Global takes the privacy and security of its consumers seriously. With the recent news regarding the Nokia 7 Plus, it’s important that you hear about what happened from us and learn more about how we collect and store data.

We have looked deeply into the case at hand and can confirm that no personally identifiable information has been shared with any third party. We have analysed the case at hand and have found that our device activation client meant for our China variant was mistakenly included in the software package of a single batch of Nokia 7 Plus phones. Due to this mistake, these devices were erroneously trying to send device activation data to a third party server. However, such data was never processed, and no person could have been identified based on this data. To be clear, no personally identifiable information has been shared with any third party. This error has already been identified and fixed in February 2019 by switching the client to the right country variant. All affected devices have received this fix and nearly all devices have already installed it. If you want to check if your Nokia 7 Plus has received the security fix, we have included step-by-step instructions below.

How can I check if my Nokia 7 Plus has received the security fix?

If you want to confirm your device is up to date, follow these steps:

• Go to Settings > System > About Phone > Scroll down to “Build Number”
• If your phone shows “00WW339BSP03” or “00WW322CSP05” as the “Build number”, you have already installed the fix on your Nokia 7 Plus.
• If your phone is not showing either of the above, don’t worry, you can always request the latest approved build by following these steps:
• Go to “Settings” > “System” > “Advanced” > “System Update” > “Check for Update”.
• A Wi-Fi connection is preferred, but if not possible, you can select “Resume” to use your cellular data connection. Please be advised that using a cellular connection may incur a data charge. Check with your operator if any concerns.