Smart Communications said the claims of an analytics consultant that "strange scripts" with links to China were appearing on Chinese phone using an old Smart SIM card were "without factual basis."
In a statement sent to GMA News Online, the telecommunications firm took exception to the alleged findings of Dominic Ligot, founding board member of the Analytics Association of the Philippines (AAP), who said that the script contains an unknown private domain which referenced two Chinese websites, people.com.cn and caijing.com.cn.
Ligot said he verified the domains and found them to be genuine Chinese domains.
He said he also found that the script only appears when he was using a Chinese phone, connected to the internet using an old Smart SIM card, and only on some websites with no Security Socket Layer (SSL) certificate.
Smart said its Cyber Security Group made an initial analysis of Ligot's claims, which he announced in a Twitter post, "If you are using an older Smart wifi, FYI, I’ve discovered proof that China is spying on us.”
"We have studied Mr. Ligot’s claims and found them to be without factual basis," Smart said.
"As Mr. Ligot himself said, his 'proof' was not 'foolproof'. On that point, we certainly agree with him. Our initial investigation has in fact shown that his fears over a 'strange script' inflicting cyber mischief on unsecured websites are unfounded," the firm added.
According to the statement, PLDT and Smart "are very mindful of the security of our network services and the privacy of our customers. And we will continue to vigilant and take all possible measures to protect the public."
Responding to Ligot's claim, Smart issued the following explanation:
-Claim No. 1: Internet traffic is being routed to China prior to reaching the destined website.
Smart said that the “IP Addresses” that Ligot refers to are not in China.
"These are actually private Smart/Sun IP addresses in the Philippines. So, in fact, based on the traceroute that Mr. Ligot posted on his twitter account, it could be seen that internet traffic goes through the internal IP addresses of Smart and does not go to China before landing back in PLDT," it said.
-Claim No. 2: A piece of script or code is being injected into the website being visited by the internet user, specifically when the website is non-encrypted.
Smart explained that "the script or code is actually the software that runs the Sun Cellular toolbar designed to enable customers to buy data load packages and to keep track of their load. There is nothing malicious about that toolbar. Once the toolbar is activated, the SUN Cellular logo will appear on the users’ browser and when clicked, it will show the loads available for the subscriber."
It also clarified that "Whenever a device (smartphone, laptop, Smart TV, etc) connects to the internet using an old Smart/Sun broadband SIM (issued prior to 2016), the latter attaches a code to the user’s web browser for it to display the Sun Cellular Toolbar. The code is not injected into the website being visited by the user."
"An attached code, as opposed to an injected code is temporary—it does not remain in one’s device once a particular browsing session is finished. In short, nothing is injected or embedded in the website being visited by the user," it added.
-Claim No. 3: There are two Chinese websites inserted in with the abovementioned script.
The two Chinese website addresses included in the script for the Sun Cellular toolbar are: www.people.com.cn and www.caijing.com.cn, which Smart said are Chinese news websites.
"The only reason these sites are in the script is because the Sun Cellular Toolbar will not work properly if the user tried to access those two sites. These websites are cited in the script in order to prevent the Toolbar from being turned on when the user is accessing these two sites. It is worth pointing out that Sun Cellular had a significant number of Chinese subscribers and that there were people visiting these websites," it said.
Claim No. 4: The scenario of the script being injected to non-encrypted websites happens only when Chinese-made smartphones are used on Smart Wifi.
Smart explained that different phone manufacturers put different default settings in their devices.
"It appears that, based on the findings of Mr. Ligot, the default settings of the Chinese handsets he tested allow the attachment of the script to the phones’ web browser. On the other hand, it appears that the Korean and U.S. phones do not," Smart said.
According to the company, it conducted tests ourselves and have found that the toolbar works on Samsung J7 Pro, Samsung J2 and Lenovo Thinkpad laptop.
"So, it is not prudent to conclude that only Chinese handsets show the script. In any case, this does not mean that the Chinese and other handsets inject the script into non-SSL enabled websites. These handsets only allow the attachment of the script to the web browser. And by the way, the script in question is for the Sun Cellular toolbar and is not a malicious code," Smart said. —LDF, GMA News