An undisclosed number of Nokia 7 Plus smartphones have been caught sending their identification numbers to a domain owned by a Chinese telecom firm.
The handsets spaffed the data in clear text over the internet to a server behind the domain vnet.cn, which appears to be owned by China Telecom. The HTTP POST requests from the devices included IMEI numbers, SIM numbers, and MAC identifiers, which can be potentially used to identify and track the cellphones.
According to HMD Global, which bought the Nokia phone business from Microsoft in 2016, a limited number of Nokia devices have been communicating by mistake to “a third party server.”
“We have analyzed the case at hand and have found that our device activation client meant for another country was mistakenly included in the software package of a single batch of Nokia 7 Plus,” an HMD Global spokesperson explained to The Register in an email. “Due to this mistake, these devices were erroneously trying to send device activation data to a third party server.”
The company’s spokesperson did not respond to requests to say how many phones are in “a small batch” or to confirm the software was intended for phone activation in China.