Sprint Faces Backlash For Adding MDM Software To Devices

itwbennett writes: On Wednesday, Sprint customer Johnny Kim discovered an in-store technician adding MDM software to his personal iPhone 6 without prior notice or permission. Kim took to Twitter with his complaint, sparking a heated conversation about privacy and protection. One expert who commented on the issue told CSO's Steve Ragan that 'it's possible Sprint sees the installation of MDM software as an additional security offering, or perhaps as a means to enable phone location services to the consumer.' But, as Ragan points out, 'even if that were true, it's against [Sprint's] written policy and such offerings are offered at the cost of privacy and control over the user's own devices.' (MDM here means "Mobile Device Management.")

Nice summary!

[Just+Some+Guy]

Credit where it's due: adding the definition of "MDM" at the end was a nice touch for those not already in the know.

Re:Nice summary!

[HiThere]

Extremely helpful. I kept reading it as a misspelled Man (in) The Middle...and kept wondering what the D could actually stand for.

Sounds like I got the meaning correct, though.

Re:Nice summary!

[Sowelu]

I think you've forgotten how multidisciplinary Slashdot is. Hell if I've ever seen that acronym before.

Re:Nice summary!

[zlives]

Man in Da Middle

Re:Nice summary!

[mitgib]

Credit where it's due: adding the definition of "MDM" at the end was a nice touch for those not already in the know.

Perhaps, but going the extra step to define it for this audience is like having to spell out STD in a porn workers forum.

Isn't it proper journalism practice to define acronyms on their first use, then continue on using the acronym through the remainder of the story? Doing it at the end does make it seems as I am splitting hairs, which I am not, as long as the acronym was defined, I understand it.

Re:Nice summary!

[Just+Some+Guy]

I only knew what it was because a previous employer's IT department kept wanting to infect my phone with it.

Re:Nice summary!

[__aaclcg7560]

If you think Slashdot is journalism, you got issues to work out.

Re:Nice summary!

[Darinbob]

Huh? I still don't know what MDM is without following that link. We're a bunch of engineers and high tech people, here, unused to the low tech social media smart phone culture.

Re:Nice summary!

[bhcompy]

Yes, we're all mobile device acronym experts here.

Re:Nice summary!

[Opportunist]

To be fair, it's not far from what is considered journalism today.

I mean, the difference between copy/pasting from other places to aggregate stories isn't that far from copy/pasting press agency reports and cutting it so the ad fits on the page.

Re: Nice summary!

[SQLGuru]

Yeah....as I was reading the summary, I actually opened the link to the article (in a new tab) so that I could get a definition.......being as this is Slashdot, I was very surprised to see the definition of the term at the end of the summary (which is why I had opened the link).

Re:Nice summary!

[rsclient]

It's only common within a subset of the community.

I've been a Slashdot reader forever; I own a smartphone; I have been a professional programmer since before they even had smartphones. But until I joined a group that actually had to interact with MDM software (I do email sync; we need to interact with policy managers to support Exchange ActiveSync policies), I had never heard of MDM as an acronym.

Re:Nice summary!

[CanadianMacFan]

Proper writing period, not just journalism. When you introduce acronyms in technical manuals, letters, newspaper articles, or even webpages then the correct usage is to write out the term on the first usage followed by the acronym in parentheses immediately after. From then on one can use the acronym.

While it was nice to have the acronym defined it was weird to do so at the end because it would have made the summary easier to read instead of having the uncertainty while reading the summary and then finding it out.

As to not having to define it for this audience I would say that it's not common enough to warrant one. I'm fairly knowledgeable about the acronyms and didn't know what it was. I would say things such as MS (Microsoft) or IP (as in IP address) wouldn't need definitions but once you start going into a specific domain then it would be polite to add it even if it may be common to you.

Re: Nice summary!

That's something they teach in Editing 101, which you have to fail before becoming a Slashdot editor.

Re:Nice summary!

[mwehle]

I have been a professional programmer since before they even had smartphones.

Too funny! Now get off my lawn...

Re:Nice summary!

[shri]

And I thought it was some sort of MoDeM software which would enable you to use your phone as a modem. :)

Re:Nice summary!

[sumdumass]

Would that be std in, std out, or std err?

I mean i view a lot of porn so I should be qualified to understand but damned if I do.

Re: Nice summary!

[NoZart]

According to my universities "Women in IT" Group, it stands for "internet technologies" XD

Re:Nice summary!

[eionmac]

Concur.

I don't care how Sprint "sees it"

[U2xhc2hkb3QgU3Vja3M]

It's not their devices and they should not be installing software without the express permission of their owners.

Fight for your bitcoins!

Re:I don't care how Sprint "sees it"

[PmanAce]

If it was your device, why can't you root it legally?

Re:I don't care how Sprint "sees it"

[Holi]

Which is their stated policy. Personally I see this as some dissatisfied tech who planned on trying to access the phones later for pics and credit card numbers.

Re:I don't care how Sprint "sees it"

[PmanAce]

And why is it legal for some Android phones to be rooted then?

Re:I don't care how Sprint "sees it"

[__aaclcg7560]

I had a job interview at a multi-billion-dollar company a few years ago. The IT department wasn't allowed to license anti-virus or anti-spyware utilities because the software companies weren't in the multi-billion-dollar league, as any purchase from a smaller company would be seen as an "endorsement" by the larger company. (The hiring manager made it sound like the Prime Directive from Star Trek.) The IT techs spent all their time manually removing spyware and viruses from laptops. Unless the laptop got hosed, they weren't allowed to reimage the laptop. I turned down the job offer.

Re:I don't care how Sprint "sees it"

[Calydor]

Are you installing a program on another person's computer, without his knowledge and consent, that will allow you to at any time take control of that computer again without his knowledge and consent?

That is not legal. That is how botnets work.

Re:I don't care how Sprint "sees it"

[Darinbob]

If it's Sprint's phone, then Sprint should be the one paying for it.

Re:I don't care how Sprint "sees it"

[Opportunist]

The times of "I pay for it so I own it" are gone. Today you gotta be happy if only your device is owned by some corporation and you still may decide what you do with your body.

Just wait 'til implanted technology becomes available, then this is gone too.

Re:I don't care how Sprint "sees it"

[Opportunist]

Indeed, why can't you?

Re:I don't care how Sprint "sees it"

[Opportunist]

Sorry, but if you install software on my computer that allows you access to it without my explicit prior consent to this, rest assured that whether I just discontinue business with you or send my legal department after you depends only on whether or not you have a bigger legal department than me.

One thing is certain: You will not have me as a customer anymore.

Re:I don't care how Sprint "sees it"

[CanadianMacFan]

If the phone is part of a contract you are paying for the phone over a number of installments. Paying for a car by using a loan doesn't make it bank's.

The provider's terms don't make the phone theirs either. Just like signing up to an ISP doesn't make your computer belong to that ISP or by getting a license for your car doesn't make it belong to the government.

Re:I don't care how Sprint "sees it"

[PmanAce]

I never said it was legal on all Android devices.

Re:I don't care how Sprint "sees it"

[sumdumass]

Its not really the act of rooting that is the problem. It is the dmca anti circumvention law that makes circumvention as well as most collaboration and dissemination the problem.

Re:I don't care how Sprint "sees it"

[GerbilKor]

Personal (non DEP) devices can have Mobile Device Management installed on them. It is common for companies who let employees bring their own devices. The only difference is that DEP devices can do it automatically over the air rather than needing to go to a website or sign into an account to set it up. https://www.apple.com/business/dep/

Re:I don't care how Sprint "sees it"

[the_B0fh]

Who says you can't? Whether you have the technical means to do it or not is a different matter, but legality? No problems there.

Everyone is blaming Sprint

[Holi]

When Sprint has policies in place that actually forbid that action without a customer request. Isn't it more likely you have an unethical tech who is looking for future access to phones?

Re:Everyone is blaming Sprint

[Archangel+Michael]

Except, it is a Sprint owned MDM and domain.

Any sufficient level of incompetence is indistinguishable from Malice. Which is the more likely scenario, Incompetence or Malice? Knowing Sprint Techs, Incompetence is my initial guess.

Now, if it was something out of Corporate, I would assume Malice. Just because it usually takes evil to get to the top of such organizations.

Re:Everyone is blaming Sprint

[Holi]

I was claiming malice on the part of the tech hence the term unethical.

Re:Everyone is blaming Sprint

[gstoddart]

Here's the alternative: the technicians are so incompetent they don't know the meaning of individual steps and just do them by wrote, have no idea what the policy says, and don't give a fuck about your phone.

Essentially a malicious level of incompetence.

Re:Everyone is blaming Sprint

[sherr]

"Rote".

Sorry if I'm being a Nazi, I never know if someone just typo'd something or acutely used the wrong word, and if so if they would appreciate knowing the correct one or not.

Re:Everyone is blaming Sprint

[gstoddart]

Sir, I would love to commend you on reaching level 7 in your quest to be a full-fledged pedant.

And while your goal of offering enlightenment to others is commendable, I must caution you that pedantic behavior is, ultimately, a reward only to the one opting the exhibit the pedantry.

But, with great haste and alacrity I will endeavor to send my endorsement letter to the Counsel of Tedious Grammatical Endeavors. ;-)

Re:Everyone is blaming Sprint

[gstoddart]

You seem like you just need to learn to take criticism.

You seem like you just need to learn to spot humor.

Not according to TFA

[tomhath]

Isn't it more likely you have an unethical tech who is looking for future access to phones?

Reading the article (yea, I know) it seems Sprint gave him several different reasons why it was installed. None of which included rogue technician.

Re:Not according to TFA

[Holi]

Sprint support staff gave him several reasons. I took that to mean the call center jockeys. It does not seem like it was Sprint Corporate telling him that, it was more like barely trained support staff who probably don't even know what MDM is. We also know it was a tech who manually installed it so the whole pre-installed claptrap was obviously pulled out of someones ass. I would not be surprised if some tech was installing it on many phones knowing it would give him access at a later point. And no Sprint is not going to admit that until they absolutely have to.

Dumbphone FTW

Every time I want to upgrade to a smart phone I think back to the 1990s when I didn't have a cell phone. Then about issues like this.

Having a tiny portable phone in my pocket: $20.
Not having to treat it like a crotchety piece of IT equipment: priceless.

Great sentence structure, SprintCare!

[wardrich86]

"Did you not want to installed it? Let us know!"

Also - clearly he didn't fucking want it installed... Is it a new rule now that Customer Service just not read messages at all?

Re:Great sentence structure, SprintCare!

[Opportunist]

*after bashing techs head in*

Didn't want to get beaten up? Let me know!

Re:Great sentence structure, SprintCare!

[CanadianMacFan]

When did they start reading messages?

How to tell if you may have MDM

[plover]

On your iPhone, go into Settings / General, select Profile, then look at the profiles that have been added. A stock iPhone has none. If you have an ISP who adds a cert that allows you to connect to their hotspots, you may see that here. If you have installed your company's MDM, perhaps a product like AirWatch, that will show up here. If you see something you don't recognize, that's when you need to do some research.

Inside the profile you can view the certs it installed. A WiFi cert will list what it can do: be wary if it includes a proxy.

Re: How to tell if you may have MDM

[thoromyr]

Nor do I. The iPhone settings has a search feature. Doing this finds it, which is under settings/general -- but it is still not there. I'm not sure if it is hidden due to a snafu or malicious intent...

Re: How to tell if you may have MDM

[Kozar_The_Malignant]

It's only visible if a profile has been installed.

Sprint clarifies the confusion

[zlives]

The technician misheard the customer, the customer said " i do NOT want to be ass fucked". the tech didn't hear the NOT.

Re:Sprint clarifies the confusion

The customer said "I DO NOT want that." The technician heard "I DONUT want that." Donuts are fucking tasty and hell yes everyone wants a donut, so of course he installed it.

Re:Additional "features"

[unimacs]

The only calls I've gotten on my personal iPhone that weren't from people I gave my number to were wrong numbers.

I don't understand ...

[gstoddart]

At what point was the technician handling his phone, and what was he doing with it?

Because if I go in for you to add me to your network, and you start installing shit on my phone ... I'm going become unreasonable quite fast.

I just can't quite figure out from the article how the technician came to be installing this in the first place; it was obviously in the middle of something else.

Surely he didn't walk into a Sprint store and hand the technician his phone, did he?

Re:I don't understand ...

[The-Ixian]

Don't you have to enter an iTunes password every time you go to install an app on an iPhone?

If so, then why would the user allow this app to be installed in the first place?

Re:I don't understand ...

[jittles]

At what point was the technician handling his phone, and what was he doing with it?

Because if I go in for you to add me to your network, and you start installing shit on my phone ... I'm going become unreasonable quite fast.

I just can't quite figure out from the article how the technician came to be installing this in the first place; it was obviously in the middle of something else.

Surely he didn't walk into a Sprint store and hand the technician his phone, did he?

Every time I've bought a device from the network provider, I make them hand me the box, still shrink wrapped. I can insert the SIM, if it doesn't come with one, tyvm. They never hesitate to just give me the box. Sometimes they need to scan barcodes off the back, but that's about the extent of it. Of course, certain devices come with vendor spyware already installed at the factory.

Re: I don't understand ...

[The-Ixian]

This show how much I know about iPhones.

Thanks for the explanation.

Re:I don't understand ...

[akgooseman]

I make them hand me the box, still shrink wrapped.

Plenty of commercial places have the simple equipment and supplies needed to re-shrink wrap inventory. I'd never trust a 'wrapped box as factory-fresh.

Re:I don't understand ...

[GerbilKor]

That is correct for Apps. But a configuration profile can be downloaded from a website or sent by a mail server when you try to log in to it. The user would need to accept it and enter the devices passcode, but no Apple ID is needed. iPhone User Guide: iPhone in Business

Re:I don't understand ...

[jittles]

I make them hand me the box, still shrink wrapped.

Plenty of commercial places have the simple equipment and supplies needed to re-shrink wrap inventory. I'd never trust a 'wrapped box as factory-fresh.

Yes but you can tell if it has been factory reset when you turn the iPhone on.

I'm pretty sure that's not the case

[Dunbal]

without prior notice or permission

I'm pretty sure it says they can do that in your contract. You remember your contract right? The one you signed to get service? What do you mean nobody reads those? You didn't read the contract you signed???

While I agree that pulling shenanigans like this is not something I want from the people who I hired to give me phone service, I'm willing to bet they are not acting outside the law.

Re:I'm pretty sure that's not the case

[gstoddart]

That's OK, I have an EULA on my phone which says you will not install any software without directly getting written permission, or I will give you an epic smackdown right there in the store.

I'm not acting outside the law either now.

Sorry, but this is stalling software which give them remote control of your phone without consulting you.

How's "computer fraud and abuse act" sound?

Re:I'm pretty sure that's not the case

[Opportunist]

This is why I love my country's consumer protection laws. Bits in consumer contracts that are "unusual" are not going to stick unless you explicitly point them out AND have the consumer sign that you did point out exactly this passage that is unusual.

And our judges tend to consider anything "unusual" that they're not used to. In other words ... well, you know how tech savvy the average judge is.

Re:I'm pretty sure that's not the case

[Dunbal]

The problem with your argument is that your EULA is imaginary, while their contract is real.

Re: I'm pretty sure that's not the case

[MorphOSX]

Actually, that's wrong. I work for a company that develops MDM software, and what you can do to a smartphone is incredibly limited, especially non-Samsung devices and iPhones.

Firstly, the iPhone can never be touched or targeted directly by an MDM server, it can only relay information through apple's Push Notification Services servers.

Secondly, Apple explicitly blocks any tool sets of access to contents of the device, including personal information. It is literally impossible to read that data on an iOS device. We never could. I can at most see a list of apps on the device and hardware details like Serial Numbers or IMEI data.

Thirdly, Apple explicitly blocks MDM software from leveraging Geolocation except under very specific circumstances. The only way to do this is by building an iOS app and registering it through Apple's Enterprise iOS developer program, which then generates private provisioning profiles and code-signs the apps to be trusted on the iOS device. No apps in the App Store are allowed to provide geolocation to third-party services without express end-user consent. Our product does offer the functionality, but in order to use it even under these circumstances, there has to be a signed app installed and opened on the device to authorize it. I cannot force it to be authorized.

Fourthly, on the android side, an app has to be installed, and configured and authorized on the device in order to bring the device into management. Geolocation is limited here, too.

Fifth, unless the device is registered to a company and enrolled in Apple's Device Enrollment Program, or is manually configured on a Mac using apple's configurator software, the level of restrictions and control is limited. Only corporate owned devices enrolled through those methods can be made to be "supervised" in order to allow additional restrictive features.

Sixth, there is no means in any current MDM to enable or perform any type of screen sharing or access anything like cameras or other electronics.

Bottom line, MDMs are quite limited in their ability to do any snooping of any user data. The worst that can happen is someone issuing a remote erase command or device lock command. Nothing more invasive can be done.

Re:I'm pretty sure that's not the case

[david_thornley]

I had a friend who, when he bought software, paid with a check that had a note on the back saying that endorsing the check means a warranty of (IIRC) 100 hours mean time to failure. He always made it clear that the check said that, and never had a problem. Not that he had the money to sue anyone....

Re: I'm pretty sure that's not the case

[bhiestand]

Sixth, there is no means in any current MDM to enable or perform any type of screen sharing or access anything like cameras or other electronics.

Bottom line, MDMs are quite limited in their ability to do any snooping of any user data. The worst that can happen is someone issuing a remote erase command or device lock command. Nothing more invasive can be done.

How does TeamViewer's mobile app fit in with that? I'm guessing different because the user has to agree to some sort of pop-up?

Just curious. I know they advertise some of that functionality, but I never got around to demoing it.

How to Check?

So, how can I check my Sprint iPhone 6s for such software?

Re:How to Check?

[sims+2]

How to tell if an iPhone, iPad, or iPod touch is supervised
https://support.apple.com/en-u...

It's Sprint's Now

Sprint recently changed to a "iPhone forever" lease plan where you lease the phone for $5 per month, plus additional undisclosed add-ons that make it actually $10 per month. But, you're leasing the phone. You don't ever own it.

They still offer you the option of buying the phone outright for ~$700 and no subsidy, if you want to "avoid paying them" the monthly lease rate.

Re:Additional "features"

[andymadigan]

I just got a new iPhone (in September) with a new number. No telemarketing calls at all. Of course, I bought the phone at the Apple store and use it on T-Mo. If you're getting calls, I'll bet it's not Apple that gave out the number.

Who Says It's A Sprint-Owned Domain?

[Dredd13]

I'm going to go ahead and throw up a red flag. I don't think this is a Sprint owned domain. I think it's meant to LOOK like one, but I don't think it IS one.

$ dig +short sprint.net ns
ns1-auth.sprintlink.net.
ns2-auth.sprintlink.net.
ns3-auth.sprintlink.net.
$ dig +short sprint.com ns
reston-ns1.telemail.net.
ns2-auth.sprintlink.net.
reston-ns3.telemail.net.
reston-ns2.telemail.net.
ns1-auth.sprintlink.net.
ns3-auth.sprintlink.net.

The places Sprint hosts their "well-known" domains looks remarkably like it's a legitimate place. "wabaw.net", however?

$ dig +short wabaw.net ns
ns6.domainmonger.com.
ns5.domainmonger.com.
ns7.domainmonger.com.
ns8.domainmonger.com.

I'm going to propose a theory that the WHOIS data shows Sprint so that - if someone gets caught and folks go looking for someone to vilify, Sprint is the unwitting victim. But - in reality - it's sitting in some domain-registration that nobody official at Sprint has ever heard of, and someone's been building a network of phones that they control via MDM.

Re:Who Says It's A Sprint-Owned Domain?

[BitZtream]

Then why have several sprint tech support personal been 'aware' of the software that is installed?

Do you freak out when you see the domain names that Google uses for lots of stuff that in no way look like 'google' domains, but are for a fact Google domains? Trace route to www.google.com ... I think you'll lose your shit based on this post.

Just because you don't understand the shitty logic they used to pick a domain name doesn't mean it was't them, or an outsourced service they use.

Re:Who Says It's A Sprint-Owned Domain?

[Dredd13]

That's not what I said. But you've constructed a wonderful strawman for yourself to knock down.

I said, let's recap:

- The domain servers they're using are not their normal domain servers and look nothing like them
- The domain registrar used for the MDM is not their normal registrar (and corporations don't generally have a bunch of parallel accounts for such things, they centralize)
- The service isn't hosted in their copious capacity but in a pair of anonymous AWS instances

As has been noted elsewhere in this thread, the tech support people in question are low-paid script-monkeys and probably don't even fully understand what the person is talking about.

Slashdot != Journalism

[sjbe]

Isn't it proper journalism practice to define acronyms on their first use, then continue on using the acronym through the remainder of the story?

Slashdot isn't journalism. Slashdot is a debate forum that is kinda sorta vaguely topical. Nobody comes to slashdot for breaking news. They come to debate things and occasionally be informed with a viewpoint they might not have considered previously.

The MDM server is in Austria!

[Chmarr]

You have a good point:

$ host leon.webaw.net
leon.webaw.net has address 62.99.250.53

$ whois 62.99.250.53 ... snip...
netname: Schneid-GmbH
descr:
descr: Schneid GmbH
descr: Herbert Schneid
descr: PIRKA
descr: IPs statically assigned
country: AT

maxmind corroborates the information.

So... Sprint are putting control of your phone into the hands of someone in Austria. Nice going, guys!

Re:The MDM server is in Austria!

[Chmarr]

Oh dammit. Ignore. I typo'd the host name :(

Re:The MDM server is in Austria!

[Dredd13]

even worse. It's just a bunch of AWS servers....

$ host leon.wabaw.net
leon.wabaw.net is an alias for awseb-e-a-awsebloa-saeaoerx3v7z-1299207820.us-west-2.elb.amazonaws.com.
awseb-e-a-awsebloa-saeaoerx3v7z-1299207820.us-west-2.elb.amazonaws.com has address 54.213.59.154
awseb-e-a-awsebloa-saeaoerx3v7z-1299207820.us-west-2.elb.amazonaws.com has address 54.191.121.98

Bets on if the account info for that AWS account is fake?

Buying direct?

[FrozenGeek]

Sounds like buying your mobile device directly from the manufacturer, such as Apple, might be preferable to buying it from the service provider (albeit having to front the full cost of the device). I'll have to consider that if/when I upgrade from my 4S.

Re:Additional "features"

[ShaunC]

I was finally talked into getting an iphone when it was time to upgrade. So far I don't have any problems with the phone itself... but one BIG noticeable difference is every few weeks after using my new phone I get random calls from phone scammers/telemarketers.

Did you install the LinkedIn app on that phone?

So? You can't do jack sh*t about it. (Arbitration)

[Fencepost]

It doesn't matter whether it goes against Sprint's published policies - there is precisely nothing that you can viably do about this kind of situation these days thanks to arbitration clauses.

You can't sue. You certainly can't start a class action suit based on all the customers this was done to. You can elect to go to arbitration over it, however if the arbitrator rules against you you're likely going to have to pay for all of Sprint's costs related to the arbitration - including whatever price tag they put on their lawyers' (yes, plural) time for responding to the case. And of course, if you win, you can probably get them to uninstall the software or perhaps let you out of your contract with no termination fee.

Re:Additional "features"

[andymadigan]

You're absolutely certain it was a Verizon store and not a "premium reseller" (which often use the Verizon branding)? And you're sure Verizon themselves don't sell your information?

Practically any company you've given your number to in the past 14 years might have decided to sell it to some scummy company, but it's extremely unlikely that it was Apple.

The various Apple license agreements are at http://www.apple.com/legal/ , I'd be interested to see what clause you think Apple has that would allow them to sell your phone number.

Re:Additional "features"

[the_B0fh]

Wow. To make up such nonsense. No wonder you had to post a AC.