However, if someone tells you that the APP you are using will upload your WiFi password to the other server, and the connected smart device you are using is at risk of being manipulated, will you be worried?
Your WiFi password is being uploaded quietly. ...
On the afternoon of August 10, an article entitled "stealing privacy, transmitting plain text, JD. A bad example of "COM challenging the network security law" spread on the internet, which pointed out a model called "JD. JD.COM's "COM William" uploaded the personal WiFi password entered by the user to the JD.COM server without explicitly informing the user, which laid a hidden danger for the user's network security.
In this article, there are professional data test videos and screenshots "JD. COM William application is connected to WiFi. Verified by the reporter, this article comes from the network security media technical team named "Hissing Network".
According to Liu (a pseudonym), a team member, they noticed the relevant contents on the Zhihu and conducted two safety tests around 10 on the evening of the 9th. The results show that the application did upload the user's WiFi password to the JD.COM server.
The reporter read the User Agreement of Jingdong intelligent cloud on JD.COM. COM William "application. Article 6 stipulates: "In the process of adding intelligent hardware devices for the first time, you need to provide the devices with the SSID and password required for accessing the WiFi environment for one-click configuration of intelligent hardware devices and WiFi environment." Accordingly, JD.COM thinks that they have explained to users the information such as uploading WiFi passwords.
However, Song Hongyu, a network security expert of a company in Shanghai, believes that it is difficult for ordinary users to find and understand this explanation in the lengthy use agreement. The concepts of "providing" and "uploading" are different, so as an ordinary user, it is impossible to know exactly the specific meaning of "providing" in the agreement. Song Hongyu said that in general, before users upload sensitive information, the system should make a second prompt and confirmation. If there is no confirmation, it is equivalent to "quietly" uploading the user's WiFi password. “JD。 COM William lacks this link, so most users may not know that the WiFi password has been uploaded.
Although "JD. The "COM William" APP promises in the user agreement: "The original information and mapping information will not be stored or modified remotely, nor will they be disclosed, transferred or used for other purposes." However, network security people believe that users upload sensitive information such as WiFi passwords to the server, which itself brings certain hidden dangers to their own information security.
Although uploading sensitive information such as WiFi passwords in the HTTPS environment is difficult for the outside world to intercept, this process is not without risks. Liu said that once intercepted by a hacker, he can completely access your WiFi and hijack smart devices connected to WiFi. "For example, if these devices include webcams, hackers also have the opportunity to read the pictures taken by the cameras."
On this issue, the reporter specifically asked Beijing JD.COM Century Trading Co., Ltd., and JD.COM's technical team responded that "although it is difficult for hackers to hijack the HTTPS transmission channel, William will encrypt sensitive information twice in the future."
Why does JD.COM William want to get the user's WiFi information?
In order to verify what Liu and his technical team said, the reporter contacted a well-known Internet security enterprise in China to verify the above process for the second time. The engineering team of the enterprise has been verified by various technical means to confirm "JD". "Really uploaded the user's WiFi password to the server in JD.COM.
An engineer of the team pointed out that the step of "uploading the user's WiFi password to his own server" is completely "redundant", because even if the home smart device is associated with WiFi, it only needs to be completed in the home LAN, and there is no need to "start a new stove" to upload the user's WiFi password to the cloud. What is puzzling is, "JD. COM William "works like this.
Some insiders compare the behavior of "JD.COM" to. William: I invited a nanny to work in my house, and as a result, the nanny made a key to my house without my permission. This kind of behavior has definitely affected my own safety. "
According to Liu, the technical team, in addition to "JD. COM William "APP, they also tested the control software of several smart devices, and found no behavior of uploading the user's WiFi password.
To this end, the reporter asked JD.COM Company for verification. The other party thinks that uploading the user's WiFi information to the cloud is only for the technical needs of the distribution network. JD。 COM technicians responded that "JD.COM. COM William has truly realized the interconnection of smart devices across brands and categories, providing users with a good experience; In contrast, other systems are likely to only operate a single intelligent hardware, so there is no need to upload a WiFi password. "It is not appropriate to compare the two."
In fact, "JD. COM William changed this distribution model. JD.COM Company stated in the letter that it has made its own distribution network plan since the second half of 20 16. This scheme can only connect smart devices in the home LAN without sending WiFi information to the cloud. In addition, JD.COM also said that they will complete the system upgrade as soon as possible, and strive to realize the local distribution network of all devices.
In the interview, JD.COM Company did not explicitly state that after the second half of 20 16, the smart devices that leave the factory do not need to upload the WiFi password, otherwise the software will not upload the WiFi password. During the reporter's interview and investigation, the network security engineers of the two teams randomly selected a number of intelligent hardware devices manufactured in different periods for testing and found that "JD. The "COM William" application still uploaded WiFi information when connecting some smart devices.
Expert opinion: Internet companies should better fulfill their network security obligations.
Not long ago, the public security department of Zhejiang Province cracked a case of illegally invading residents' "home cameras". The criminal suspect invaded nearly 10,000 home camera IP through technical means and sold the content taken by the camera online. As soon as this case came out, public opinion once again focused on citizen information security.
Prior to this, the practice of "WiFi Master Key" uploading users' WiFi passwords without authorization has been questioned by the media and the public. JD.COM's unauthorized uploading of users' WiFi passwords has also attracted the attention of experts in the legal and social fields. Lawyer Zhang of Fujian Yingkun Law Firm believes that this kind of behavior is suspected of infringing on personal privacy and personal privacy, which has certain security risks and needs to attract the attention of users.
According to Article 41 of the Cyber Security Law of the People's Republic of China, which came into effect on June 17, 2007, "Network operators should follow the principles of legality, justice and necessity, openly set the rules for collection and use, clearly state the purpose, manner and scope of information collection and use, and obtain the consent of the collected person. Network operators shall not collect personal information irrelevant to the services they provide, and shall not collect and use personal information in violation of the provisions of laws and administrative regulations and the agreement between the two parties, and shall handle the personal information they save in accordance with the provisions of laws and administrative regulations and the agreement with users. "
Yang Jianhua, member of the Advisory Committee of Zhejiang Provincial People's Government and president of Zhejiang Sociology Society, believes that even if the software provided by enterprises is free, it should still follow the business ethics, and clearly inform users of the behavior of uploading sensitive information through the second prompt, and users will decide whether to continue using the software.
Yang Jianhua said that Internet companies should fulfill their social responsibilities and network security obligations that match their influence, protect users' and consumers' right to know according to laws and regulations, and recall or improve products with technical defects and security risks.
At present, "JD.COM. COM William is adjusting and upgrading its technical scheme to eliminate users' concerns.
Individuals don't seem to have many secrets, and they are always monitored by others. Why is there no provision in the law? Take out the binding force and put a spell on such enterprises.