Motorola Is Listening

New submitter pbritt writes "Ben Lincoln was hooking up to Microsoft ActiveSync at work when he 'made an interesting discovery about the Android phone (a Motorola Droid X2) which [he] was using at the time: it was silently sending a considerable amount of sensitive information to Motorola, and to compound the problem, a great deal of it was over an unencrypted HTTP channel.' He found that photos, passwords, and even data about his home screen config were being sent regularly to Motorola's servers. He has screenshots showing much of the data transmission."

Don't you know...

[msauve]

The NSA would like to thank Motorola for their cooperation.

Re:Don't you know...

[Joce640k]

I think it might be this: https://en.wikipedia.org/wiki/Motoblur

Lots of phones/providers sync your personal data for you in case you lose your phone.

(And I'm sure there's an option somewhere to turn it off, although you never know with big corporations...)

Re:Don't you know...

[Joce640k]

Remember Apple sells me a device, Google sells me.

Riiiiight. Apple never spied on anybody.

Re:Don't you know...

[TheCarp]

Sigh.... they makes me more disappointed than mad, and reminds me of the phrase "The road to hell is paved with good intentions".

They want easy sync, they want it so they can restore user data and save people's bacon whose phone gets destroyed or lost. Awesome, great intention. However, http? No SSL? Come on guys! At LEAST encrypt the data in flight!

In reality, they should encrypt it at rest too, and have the user at least submit some sort of password or something so its not just.... gobs of juicy data waiting to be sniffed or scooped. Realistically this means everyone who had one of these phones, with few exceptions, have their data, out of their control, just waiting to be abused.

Re:Don't you know...

[Joce640k]

TFA has just been updated saying it's MotoBlur with an automatically created Blur ID - it doesn't even ask you to create an account any more

I guess that was Motorola's way of "removing" MotoBlur from phones - remove the account creation UI, generate the account secretly without any prompting.

Whatever, Motorola deserves to be bankrupted over this. If I was a class-action lawyer I'd be getting in touch with this guy right now.

Re:Don't you know...

[GNious]

Google doesn't sell "you".

Google sees an aggregate or approximation, that may-or-may-not describe you.

Re:Don't you know...

[AdamWill]

You could try reading the article.

It does appear to be part of Blur, yes.

Only the X2 was not sold as a phone with Blur, it does not have the obvious UI elements. And the author never explicitly signed up for the Blur service or created an account. The phone appears to have silently created a Blur account for him and proceeded to send a bunch of private information to the service, all without his knowledge or consent. How helpful.

Re:Don't you know...

[jythie]

The downside of making it easy to turn things off is that people do, and then something goes wrong, and then they complain the recovery did not work, and you point out it was disabled, and they claim they never disabled it, and then they tell all their friends how much your company has screwed them with your buggy device that mysteriously switched off the useful feature they never heard of but got pissed about not being there.

I agree it should be an option, but I can sympathize with companies not wanting to deal with that expletive. People who do stupid things rarely blame themselves, but they are happy to blame others loudly in public where it can hurt your brand.

Well done, Motorola

"A company that listens to its users"

Re:Well done, Motorola

[squiggleslash]

I don't see what the problem is. The information is comprised of basic GPS, microphone audio, and phone radio data that's very obviously being collected purely for debugging and diagnostic reasons. From the article*:

The phone collects the information, storing it in a file called "/media/.NSAquiredData" until it can be transmitted to the Motorola server at bmailvctms.gomoto.com, and comprises of the following:

* Number of dropped calls in the last 24 hours.
* Location data, sampled at 5am, 11am, and 6pm
* Location type of above (eg residential, business)
* If the location at 5am != 6pm, and 5am and 6pm are both residential locations, and 11am is a business, then:
- Whether 6pm is associated with a phone number that is frequently called but not marked "HOME", "FAMILY", or "WIFE"
- Whether a random, five minute, audio sample taken between 6pm and 6.30pm matches patterns marked "KISS", "WORD_LOVE", or "WHIP"
- Whether that audio sample contains both male and female voices, and whether, upon analysing a similar sample taken at 9.30pm, one voice matches but another voice does not.
* The date and time and location of any dropped calls
* The temperature of the phone at the time the calls were dropped
* The status of the humidity sensors at the time of any dropped calls

Seems perfectly reasonable to me.

* No, not that article, the other one.

Improved Customer Experience

[evil_aaronm]

It's all for "improved customer experience." If they know to whom you're talking, or what pictures you're taking, or what documents you're reading or writing, or where you are at any given moment, they can better tailor their services to fit your needs. I'm surprised this isn't patently obvious. /snark

Re:Improved Customer Experience

[NEDHead]

Patent? Did someone say Patent? What a great idea!

Sad, but also not surprising

[tomkost]

It seems every device, every internet service, basically every communication node that we use has been turned into something that is beyond George Orwell's worst nightmare. As long as there is continued complacency on the part of people using this technology, the invasion of privacy will continue to grow. This of course assumes that it could get much worse. The only options at this point are to stop or drastically reduce using these networks while we attempt to build our own.

Re:Sad, but also not surprising

[BitZtream]

So you've manually inspected the binaries from cyanogen to confirm that every release they make is 'safe'?

Instead of blindly trusting your manufacturer, you're blindly trusting a modder.

Not really sure why you think its different.

I blame the government

[93+Escort+Wagon]

I know, that sounds like the lead-in to a joke - but not this time.

In the US, anyway, Congress established quite some time ago that companies had more rights to our personal information than most of us would want them to have. So it's not surprising when we find out the NSA (or whoever) has carte blanche to our information - and also that Congress doesn't grok why we get upset about it.

Europeans ostensibly have much stronger protections in this regard; but it seems to me there's a lot of "wink, wink, nudge nudge" going on over there, and those "protections" are mainly in place so their officials can posture indignantly whenever news like this comes out. In practice I don't think there's much of a difference on either side of the Atlantic.

So what's the big deal about yet another large entity slurping our personal information? Whether they're public or private - according to the folks elected to represent us, we shouldn't be upset about it...

#1 reason to use Android

[erroneus]

You can RELOAD the device's OS with custom ROMs that don't do this crap. If it was discovered Apple does this (and who's to say they don't) what choice have you? And Windows phone? Don't even start.

Part of the reality of "security" is taking responsibility for your own. Security is not a product you can buy. It's not something that other people can do for you (because that's tyranny). It's a personal responsibility and it takes knowledge and understanding to do. Tough luck to all those people who have neither the inclination nor the ability to learn.

Re:#1 reason to use Android

[h4rr4r]

You can have a custom rom that is not rooted.
I do.

Why do people confuse these?

Re:#1 reason to use Android

[rtkluttz]

We only use rooted phones running Cyanogenmod 10.1 in our environment. We have a fleet of about 50 smart phones and all of them but about 4 are Google Galaxy Nexus phones. We don't consider anything that we don't control to be secure.

Re:#1 reason to use Android

[ebno-10db]

Part of the reality of "security" is taking responsibility for your own.

The only way to get real security and privacy with a cell phone is not to have one. A bonus is that implementation of that strategy requires no special technical knowledge.

Re:#1 reason to use Android

[someSnarkyBastard]

Your best bet for installing custom firmware is almost always going to be the current Google dev-phone (previously the Galaxy Nexus, currently the Nexus 4 IIRC) The phone is directly supported by Google and has an unlockable bootloader, no tricky hacks required.

Re:#1 reason to use Android

[gnasher719]

You can RELOAD the device's OS with custom ROMs that don't do this crap. If it was discovered Apple does this (and who's to say they don't) what choice have you? And Windows phone? Don't even start.

So there is a massive _actual_ privacy violation by Google (who owns Motorola and is 100% responsible for anything that happens under the name Motorola), and you complain about what-ifs with Apple and Microsoft?

Remember that Google's customers are the advertisers. Apple's customers are people buying Apple devices. I expect both Google and Apple to do what is good for their customers, even if it hurts others (like _you_ in the case of Google, and advertisers in the case of Apple).

Achievement Unlocked

[blincoln]

"An article you wrote for your personal website has appeared on the main page of both Slashdot and Hacker News, and you were not the submitter in either case."

I haven't logged onto this account in ages, but if anyone has any questions, I'd be happy to try to answer them.

Re:Achievement Unlocked

[blincoln]

In the absence of a better answer, I would go with the model I used for this testing:
Build a Linux system that acts as the sole gateway between your internal network and the internet (whatever means you are using to connect to the internet). Set it up with an intercepting proxy like Burp Suite or OWASP ZAP, and install the signing cert on your devices. Configure all of your devices to proxy HTTP and HTTPS traffic through that intercepting proxy. This will let you see nearly all HTTP and HTTPS traffic, and optionally to modify that traffic as it passes through.
That system can either just be a gateway for some other device (e.g. your wireless router), or you can set it up to perform the DHCP and other functions for the other devices on your network.
It would probably also be helpful to set it up as the DNS server so that if you end up needing to look at something that requires spoofing DNS, you're all set.

Mode 1 - for everyday use:
Use iptables to forward all traffic from the internal interface to the external interface.
Run network captures to see traffic patterns and anything that is unencrypted which is not going through the intercepting proxy.
When you see something interesting that is non-HTTPS (e.g. via a network capture) but is encrypted, temporarily switch to Mode 2, or if necessary (like it was in the case of the XMPP traffic here) selectively forward it (again, using iptables) to a custom MitM proxy.

Mode 2 - for special cases:
Run Mallory on the gateway instead of the regular iptables forward.
This is only for special cases because Mallory will impose a noticeable slowdown.

I'm working on a ground-up build doc for this type of system that will go into a lot more detail. It can be run in VirtualBox or another virtualization platform.

The only thing it may not do is the sandboxing requirement you listed, depending on what you're hoping for. It's also not super-straightforward (especially Mallory and any custom MitM stuff you need to do), but it's a lot easier than it used to be, especially since the intercepting HTTP/HTTPS proxy takes care of nearly all of the traffic these days.

Re:It is owned by Google

[swillden]

This is just Google collecting all of the worlds data, just like they said they were doing to do.

The Droid X2 was released on May 11, 2011. Google announced their intention to acquire Motorola Mobility on August 15, 2011, and completed the acquisition on May 22, 2012.

Re:How is this even legal?

[gstoddart]

How about this?

They've gone way beyond authorized access, and are collecting information they have no business accessing.

But somehow those EULAs magically give them the legal right to do anything they want to.

Numbers say they don't

[SuperKendall]

If it was discovered Apple does this (and who's to say they don't)

We know they don't because there are many hundreds of millions of people using Apple devices now, and lots of developers using network proxy monitoring tools in development that see all network traffic from the devices to boot.

Basically if Apple were doing this we would have known long ago, and there would be no shortage of people to shout about it continuously on Slashdot and elsewhere.

Why do they keep trying to "social " us?

[Bearhouse]

What is this crap, and why do they always get it wrong?

Yes, I do want to seamlessly sync my mail, sms and contacts across my devices.
Except none of the solutions proposed really do that well...
(Or maybe I'm not typical, having multiple PCs and mobile devices, including iOS and Android?)

Photos too? Hell, why not. Picasa from Google used to be OK...

But now, after the "success" of FB, it seems that you can't have simple sync solution anymore; everybody is pushing unwanted, privacy-leaking, "social" features down our throats.

Just please fucking stop!

Re:Why do they keep trying to "social " us?

5 of your friends read this post. Blink some time within the next 30 seconds to read what they think!

Re:Nonono, beware the evil chinese

[arth1]

These are not the droids you are looking for... Look at the Chinese! Look at the evil Chinese! They're spying on us!

Well, of course they are. But look at it this way:

When the Chinese spy on you, what can they do to you based on the data it gathers?
When the your own government spies on you, what can it do to you based on the data it gathers?

Somehow, I feel safer sending my data to the Chinese...

Does this use my monthly bandwidth?

[jdc]

I'm wondering if I get charged for this?

thanks, Obama!

[Thud457]

so I need a FOIA to restore my backup now?

blaming the government

[epine]

I watched a Bill Maher video yesterday in which a conservative politician who clearly believed that cleanliness (and short hair) is next to godliness claimed to believe in "adaptation" but not a certain fish story when confronted by a historically unelectable Canadian politician about whether he believed in antibiotic resistance (in which the evolution of the resistance trait was greatly accelerated by careless overuse).

I actually cut the guy some slack. There's no reason why he can't logically believe in the special theory of evolution (local adaptation) without necessarily believing in the general theory of evolution (the ascent of complexity from primordial origins). To believe in one without the other requires a larger than average mental judgement in between. Unfortunately, he lamely fell back on invoking the missing link. Bzzzzt. Thanks for playing.

Clearly he hasn't checked in with the Out of Africa theory lately, which was speculative until we began to read DNA in the early 1980s with all the proficiency of a clever three year old. Right now we're at about year two of a ten year post-graduate program in speed reading for lifeforms with facet eyes. Things have changed. If there were any region of the globe over the past 10,000 years (or 100,000 years) where the genetic lineage of any species of quadruped (Noah being the patron saint of charismatic megafauna) is constricted to a single breeding pair, we'll surely find it soon on the rising flood of sequence data. Dude groomed for rapture should be worrying about the missing crink, not the missing link.

I can't say I have a higher opinion of "blame the government". It's like blaming calcium for arthritis, on the grounds that sans calcium, arthritis as we know it would no longer exist. The problem here is that calcium is just the implementation. The specification is to have a load bearing structure nimble enough to evade and pursue (aka biosecurity). A large branch of the solution space descends from elbows and kneecaps.

One of the major functions of a large population is agreeing on the threat enough to achieve cohesion in the threat response. This is mirrored in the organism by how the fight/flight response is balanced on a knife edge, and how the hormones that prime this metabolic state also tamps down immune response. Guess what, libertarians, that's a centralized response.

You can discard the implementation (government as we know it), but you can't discard the specification. Unfortunately, contrary to the most vociferous howls, the problems are actually rooted in the specification, not the implementation.

Just like replacing an aging software system, while it's absolutely certain that the worst points of friction in the existing system will go away, new points of friction are extremely likely to take their place, unless you stumble upon the "silver bullet" solution paradigm (social media won't let you down). I tend to be fairly reluctant to stick up my hand when a surgeon promises to cure my arthritic knee by lopping off my leg and grafting on a tentacle to replace it. I worry that might bring with it new problems every bit as annoying as the previous problem.

The present state of the NSA and the legislation around it is pretty much an unbroken story since the end of the first world war. (The Germans did not invent Enigma on a fall afternoon in 1939.) I vaguely recall reading in the The Puzzle Palace (or something similar from the same era) that before the U.S. government passes a law preventing secret agencies from spying on American citizens there was already a secret law on the books exempted a certain no such agency from being beholden to any such future law.

Democracy it turns out is a lot like the human immune system. It shuts down on a dime in the presence of an acute threat, as defined by the pulsed secretion of some small gland. Once you get to the place where the small gland sees a lion in every box of Cracker Jack, democracy is reduced to vestigial status, until

Re:RTFA.

[SiChemist]

There are only two hard things in Computer Science: cache invalidation, naming things, and off-by-one errors.

Re:RTFA.

[icebike]

Of these three multibillion-dollar corporations, which one has a private jumbo jet for its executives:

1. ExxonMobil
2. Verizon
3. Oracle
4. Google

"Don't be evil"? My ass.

Probably the one that only hires people who know how to count.

That article is utter nonsense

[donutello]

The idfa feature has nothing to do with Apple tracking you. It has everything to do with *others* tracking you - or rather, limiting how others track you.

Prior to iOS6, third party apps would access your devices UDID and use it to track your device. There was no way for a user to disable or limit this. In iOS6, Apple shut that down and forced advertisers to use the idfa instead. The idfa is something you as a user can reset or turn off to limit how advertisers track you. The feature is a pure win for user privacy and anyone who claims otherwise is either a complete idiot or thinks his audience is.