Saturday, July 06, 2013

Motorola Blur users read this

For certain models motorola not only captures your ID and pw but redirects your web traffic through their servers and retransmits over unencrypted http.   That seems to be the gist:
Motorola secretly spies on Droid phone users every 9 minutes, collects personal data
By Darlene Storm

July 03, 2013 3:35 PM EDTYou know the NSA is “listening,” nabbing Verizon customers’ cell phone metadata, but did you know that Motorola is listening too? A security engineer with a Motorola Droid X2 smartphone discovered that Motorola is silently slurping up personal info like passwords, GPS data from photos, email addresses, and usernames to name but a few. His phone is checking in with Motorola every nine minutes. Even worse, the data is often sent over an unencrypted HTTP channel. As a Slashdot comment stated, “The NSA would like to thank Motorola for their cooperation.”

This all started when Ben Lincoln wrote about this new disturbing discovery on Beneath the Waves:

In June of 2013, I made an interesting discovery about the Android phone (a Motorola Droid X2) which I was using at the time: it was silently sending a considerable amount of sensitive information to Motorola, and to compound the problem, a great deal of it was over an unencrypted HTTP channel.

Motorola has numerous privacy policy and EULA documents. Most people probably regard those astl;dr. Lincoln wrote that “this one in particular (the one for the actual ‘Motorola Mobile Services’ system (AKA "Blur")) has a lot of content I really don't like, and which is not present in the other, similar documents on their site that are much easier to find. For example, it specifically mentions capturing social networking credentials, as well as uploading GPS coordinates from customers' phones to Motorola.”

Motorola's software is “responsible for the personal and configuration data being sent to Motorola,” Lincoln explained. In fact, Motorola is siphoning social networking account data and capturing usernames and passwords for Facebook, Twitter, YouTube, Picasa and Photobucket. After signing into Facebook or Twitter, Lincoln warns:

Most subsequent connectivity to both services (other than downloading images) is proxied through Motorola's system on the internet using unencrypted HTTP, so Motorola and anyone running a network capture can easily see who your friends/contacts are (including your friends'email addresses), what posts you're reading and writing, and so on. They'll also get a list of which images you're viewing, even though the actual image download comes directly from the source.

Lincoln also discusses Flickr, Yahoo mail, IMAP/POP3, and data collected for Exchange ActiveSync and RSS feeds. In fact, every nine minutes his phone sends detailed descriptions of the home screen configuration -- including shortcuts and widgets. “There is literally no reason I can think of that I would want my phone to check in with Motorola every nine minutes to see if Motorola has any new instructions for it to execute,” he added.

If you're still unsure why I think this is a problem, ask yourself this: if you bought a desktop PC running Windows, then discovered two years later that the hardware manufacturer had installed modified versions of standard Windows software like Outlook Express and Internet Explorer which - without any indication to the user - sent your passwords to, and routed other traffic through servers owned by the PC manufacturer instead of connecting directly to the actual websites and mail servers, would you be OK with it? If not, then why are you when it's a phone instead of a desktop PC?

Do you recall the privacy storm surrounding Carrier IQ after researcher Trevor Eckhart discovered it was secretly logging keystrokes and location information without notifying users as well as capturing passwords in clear text? After “Motorola cell phones are regularly phoning home” hit Hacker News, another person also tested a Motorola Photon 4G and claimed to have obtained similar results. It seems likely that other people will test their Motorola phones and a list of affected phones will emerge.

Details about Motoblur, its privacy policy, and how Motorola is tracking users’ activities made some waves last year. Motoblur is used to push updates; it “is currently on Electrify/Photon 4G, Atrix 4G, Atrix HD, CLIQ/DEXT, Backflip, Devour, Flipout, Charm, Spice, Droid Pro, Filpside, DEFY, DEFY+, Bravo, Droid X, Droid 3, Droid 2, Droid Bionic, and Droid RAZR. The version found on the Droid X, Droid Pro, Droid 2, Droid Bionic, Droid 3, Electrify/Photon 4G, and DEFY is intended to be less intrusive than previous versions.”

Lincoln clarified that "the Droid X2 does not use Motorola's 'Blur'/'MotoBlur user interface," which is one reason he picked that model. However his research indicates, "they've all been modified to silently send data to and/or through the Blur web-service back-end.” He added, “There's no indication to the user that this is the case unless they do the sort of network capture that I did. There is no prompt to create or use a Blur user ID - the phone uses a randomly-generated Blur account for all of the behind-the-scenes activity.” Please read his interesting and excellent write-up in full.

“I can think of many ways that Motorola, unethical employees of Motorola, or unauthorized third parties could misuse this enormous treasure trove of information," Lincoln wrote. "But the biggest question on my mind is this: now that it is known that Motorola is collecting this data, can it be subpoenaed in criminal or civil cases against owners of Motorola phones?”

Motorola has not officially responded to a request for comment. The company is probably hoping news about its new Moto X smartphone will drown out Lincoln’s discovery. Good luck with that, Motorola. You have a lot of consumers and we want answers.

No comments: