
Motorola cell phones are regularly phoning home - freejoe76
http://www.beneaththewaves.net/Projects/Motorola_Is_Listening.html?source=hn
======
adrinavarro
This seems related to Motorola's MOTOBLUR system:
[http://en.wikipedia.org/wiki/Motoblur](http://en.wikipedia.org/wiki/Motoblur)

In all fairness, it seems that the implementation uses a middle server (pretty
common in big companies where good engineering isn't a requirement) where log
in data is sent, is stored in the users' profile and where timelines and other
content is parsed before being sent back to the user's device, in a "dumb"
format that the BLUR system can understand.

Nokia has a bit of the same for their low-end phones (understandably) and
BlackBerry used to do much of the same. Yet, in those days, and in an Android
phone that can easily connect to social networks on its own, this seems like a
very unfortunate techncial decision.

In other words: the official Gmail app, Twitter or Facebook apps are unlikely
to be "compromised".

~~~
skue
The article has been updated to point out that this model does not use to
MotoBlur interface. Apparently having (what looked like) a mostly stock
Android interface was an important buying consideration.

~~~
adrinavarro
I have my doubts. It never stated _when_ it sent the passwords. Maybe it
hasn't the UI overlay, but the social apps seem to be closely related to
MOTOBLUR.

------
antoncohen
I noticed that my Droid 4 running 4.1.2 was opening an XMPP connection to
Motorola servers a month ago. I was watching the logs trying to diagnose
another problem, and the XMPP connection happened to be failing at the time.
The XMPP connection is no longer failing.

    
    
        D/CheckinProvider(  507): insertEvents Process tag not allowed: XMPPConnection
        I/XMPPConnection(  772): Preparing to connect user XXXXXXXXXXX to service:
            jabber1.cloud2.sdc100.blurdev.com on host: jabber-cloud2-sdc100.blurdev.com and port: 5222
        E/PacketReader(  772): 	at org.jivesoftware.smack.PacketReader.parseXMPPPacket(PacketReader.java:503)
        D/CheckinProvider(  507): insertEvents Process tag not allowed: XMPPConnection
        I/XMPPConnection(  772): Shutting down connection for user XXXXXXXXXXX to host jabber-cloud2-sdc100.blurdev.com
        W/System.err(  772): 	at org.jivesoftware.smack.PacketReader.parseXMPPPacket(PacketReader.java:503)
        E/XMPPConnectionManager(  772): Failed to connect user 'XXXXXXXXXXX' to host 
            'jabber-cloud2-sdc100.blurdev.com on port 5222: Connection failed. No response from server.:

~~~
benedikt
What logs were this?

~~~
antoncohen
logcat:
[https://developer.android.com/tools/help/logcat.html](https://developer.android.com/tools/help/logcat.html)

apk to view them:
[https://play.google.com/store/apps/details?id=com.nolanlawso...](https://play.google.com/store/apps/details?id=com.nolanlawson.logcat&hl=en)

------
speeder
Since lots of this data is sent through not encrypted HTTP, this means that
NSA (and any other intelligence agency) can also get all this data...

Then people wonder the "nothing to hide" well, you might not, but will
everyone you know be bothered you are sending their e-mails around to
intelligence agencies?

~~~
cmircea
What if you DO have something to hide? Company secrets can be very, very
valuable for someone.

~~~
javert
Use encryption all the time, and don't use any Microsoft products. All
companies that have valuable secrets should already have this policy in place.

~~~
soundgecko
_Any_ Microsoft product? They shouldn't use any Google product by the same
token.

Report: Android malware up 614% as smartphone scams go industrial
[http://www.theregister.co.uk/2013/06/26/android_malware_bloo...](http://www.theregister.co.uk/2013/06/26/android_malware_bloom_security_updates/)

From [http://gawker.com/5637234/gcreep-google-engineer-stalked-
tee...](http://gawker.com/5637234/gcreep-google-engineer-stalked-teens-spied-
on-chats)

In at least four cases, Barksdale spied on minors' Google accounts without
their consent, according to a source close to the incidents. In an incident
this spring involving a 15-year-old boy who he'd befriended, Barksdale tapped
into call logs from Google Voice, Google's Internet phone service, after the
boy refused to tell him the name of his new girlfriend, according to our
source. After accessing the kid's account to retrieve her name and phone
number, Barksdale then taunted the boy and threatened to call her.

In other cases involving teens of both sexes, Barksdale exhibited a similar
pattern of aggressively violating others' privacy, according to our source. He
accessed contact lists and chat transcripts, and in one case quoted from an IM
that he'd looked up behind the person's back. (He later apologized to one for
retrieving the information without her knowledge.) In another incident,
Barksdale unblocked himself from a Gtalk buddy list even though the teen in
question had taken steps to cut communications with the Google engineer.

~~~
javert
I completely agree. _If_ you want to keep something secret, _do not_ use
Google products.

I don't recommend taking the time, but if you were to trawl through all my
posts on Hacker News, you'd find that I've said this about Google several
times in the past, before the breaking of the NSA scandal.

~~~
cmpxchg8
I do not use Google products either, but you need to add more companies to
that. You can't use Facebook, or Yahoo products.

Funnily enough I stopped using Google products because they keep alienating me
with their decisions like the Real Names policy or killing Reader. Taking my
privacy back is an added bonus.

That also means no Android phone, although FirefoxOS phones look promising.

------
javert
Wait, am I understanding correctly that your Facebook password (for example)
is being shared with Motorola?

~~~
lawnchair_larry
Yes, they're taking all of your logins and passwords, including your Google
account, and their back end servers are even occasionally logging in with
them.

"Also interestingly, while testing Picasa and/or Youtube integration,
Motorola's methods of authenticating actually tripped Google's suspicious
activity alarm. Looking up the source IP in ARIN confirmed the connection was
coming from Motorola."

~~~
gnur
Only when you are using the motoblur versions of those packages. Setting up a
Google Account through the initial setup won't send the info to moto, setting
up any account in your stock-homescreen for widgets will send your information
to moto.

~~~
skue
Not true. The article has been updated to clarify that this model does not use
the MotoBlur interface. Apparently the code is still there, and still active.

------
dendory
If true, it's surprising that it took so long for someone to find this. Isn't
it trivial to check on what your phone is sending off if you use wifi with a
network scanner?

With that said I bet this is all for their social networking integration, some
engineer thinking it would be cool for them to aggregate all your social data
in the cloud, with no concept of the privacy implications.

~~~
lawnchair_larry
Apparently others have reported concerns as early as 2011:

[https://forums.motorola.com/posts/64e9971ab3](https://forums.motorola.com/posts/64e9971ab3)

Amazing that they've been doing it for so long.

~~~
ChrisAntaki
The phone from the OP article was released in June of 2011.

------
teeja
Why did it take someone 2 years to spot this????? Doesn't anybody care to
watch what's going in/out of their appliances any more?

Furthermore, if this report is true: why aren't there more tools out there so
that there are more eyes watching this stuff? Or is everyone just too busy
being "social" ??

~~~
antocv
Not a lot of people know how or have the time to setup sniffers for their
appliances and then go through the logs. Maybe like 0.001% can do that.

How would you sniff your device? WiFi and let your router do the thing? It
wouldnt be difficult for your phone to stop suspicious activity when WiFi or
VPN is turned on.

How do you sniff 3G? Can you sniff GPRS/GSM for any suspicious activity? Now
we're talking 0.000000001%.

~~~
antocv
Ahem, not to sound like a pessimist.

Android 4.x has vpn, so one way to sniff data is to setup openvpn and on your
server tcpdump or wireshark everything.

To sniff 3G/GSM I believe one would have to root their phone and sniff it
there as most people dont have 3G/GSM hardware. I dont know more about that,
perhaps its as "easy" as rooting it and running tcpdump on the device and
saving to sd-card from some of its interfaces?

------
shenberg
Small nit to pick: IMSI + IMEI aren't enough to clone your phone - the SIM
card stores a shared secret used for challenge-response authentication with
the network, and the device (theoretically) can't read the secret, only send
the SIM a challenge and get the response to send to the network.

~~~
doki_pen
The article is about a CDMA phone from Verizon.

------
qwerta
I thought this is well know information. Motoblur always restores your
accounts with passwords after factory reset. It is not even possible to start
phone without logging in to your Motoblur account.

Anyway Cyanogen solved problem on my Defy.

------
smegel
Isn't that the whole point of the Blur service...it logs into all these social
services and combines them to produce a unified presentation? How else could
it work?

~~~
BHSPitMonkey
By using these services' APIs instead of holding onto your credentials?

~~~
gohrt
Yodlee, the worldwide banking network, happily stores millions of people's
BANK ACCOUNT passwords, with no interest in using a secure Auth API, and
nearly no one cares.

Why should Blur care about keeping your FB credentials private?

------
eliasmacpherson
I'm sure the servers that this data is stored on are completely locked down
from malicious employee access, are protected by a diligent legal department
from overzealous government access and above all completely safe from
malicious external threats. Oh and I bet the logging is water tight.

------
antitrust
Basically, I need to make all of my technological tools out of raw steel,
silicon and wood and then I'll be OK, but otherwise, somebody's monitoring me.
Right?

* sigh *

Well, if I must...

------
josephpmay
The author seems perplexed that Motorola is not collecting information from
Google or Gmail accounts. This is probably because they already have the
information: remember that Motorola is owned by Google.

~~~
jsnell
That theory makes no sense. This phone predates the Google purchase by over a
year (and there were probably other phones with the same software even
earlier). Also, Google has no plausible use at all for any of this data and
misusing it would have huge PR and legal risks. Certainly most of Motoblur got
trimmed out with the upgrade to 4.0, and from what I hear completely
eliminated with 4.1. Just didn't matter for this phone, since it got stuck on
2.3.

It's pure engineering incompetence from Motorola, not a nefarious way to
collect data.

~~~
ChrisAntaki
This phone predates the Google purchase by 2 months. It was released in June,
Google purchased Motorola Mobility in August.

~~~
jsnell
That's the date when Google announced that they were intending to buy
Motorola, but such an announcement is irrelevant. Until the deal closes, the
companies are legally obligated to continue behaving as if nothing has
changed. For example in this case there were anti-trust issues in at least
China and the US.

According to Wikipedia pages the dates were:

[http://en.wikipedia.org/wiki/Droid_X](http://en.wikipedia.org/wiki/Droid_X):
On May 19, 2011, Motorola released the Droid X2

[http://en.wikipedia.org/wiki/Motorola_Mobility#Acquisition_b...](http://en.wikipedia.org/wiki/Motorola_Mobility#Acquisition_by_Google):
The deal received subsequent approval from Chinese authorities and was
completed on May 22, 2012.

That's over a year, if barely.

~~~
ChrisAntaki
Good to know, though I'm sure the announcement came after much research into
Motorola Mobility.

------
eknkc
Account passwords?! WTF?

Just curious, were these devices manufactured before or after Google
acquisition?

~~~
ChrisAntaki
The phone in question (Droid X2) was released on June 19, 2011. Google
acquired Motorola Mobility on August 15, 2011.

------
msoad
This is unacceptable!

------
superuser2
Further evidence that no matter how "free" and "open" Android may be in
theory, manufacturer and carrier modifications make it no better (and in this
case worse) than the iPhone in practice.

------
mikelat
My next phone probably won't be a Motorola then.

Does anyone know if this is a part of the Android Kernel? If it is it means
they've modified the source code and they're obligated to share their changes.

~~~
tutysara
They can make changes in user space and in application space and not share the
source since only the kernel is GPL

------
chenster
Fuck you, Motorola. Why do you want my login and password information for??
Your EULA is nothing but a fraud. I smell lawsuit.

Wait, isn't Motorola owned by Google now???

------
andyhmltn
Is this not grounds for a major investigation? I'm not familiar with the law,
but I know that there's been a number of cases of people that added RATs to
their applications they created to monitor all traffic on that computer and
email them passwords.

That's pretty much the exact same thing. Although: 'Never attribute to malice
that which is adequately explained by stupidity.'

------
jorgecastillo
Motorola has never been one of my favorite cellphone brands but after this I
am never buying a Motorola phone.

------
yason
I've been wondering if there's any reason to actually keep the original OEM
modified operating system instead of replacing it with a vanilla Android
installation. I haven't found any but it seems that there are now compelling
reasons to _not keep_ it in any case.

------
tutysara
Question - Can I trust cyanogenmod binary? Compile the rom from source.
Question - Can I trust cyanogenmod source? ????, no idea, have to trust some
one. (Remembering an argument from GEB about uncertainty).

------
D9u
[from the article]

    
    
        *" I was using my personal phone at work to do some testing related to Microsoft Exchange ActiveSync. In order to monitor the traffic, I had configured my phone to proxy all HTTP and HTTPS traffic through Burp Suite Professional - an intercepting proxy that we use for penetration testing - so that I could easily view the contents of the ActiveSync communication.
    
        Looking through the proxy history, I saw frequent HTTP connections to ws-cloud112-blur.svcmot.com mixed in with the expected ActiveSync connections."*
    

Whoever said that this has nothing to do with ActiveSync; You are being
disingenuous.

------
ww520
What are some of the good tools on Android to monitor all network traffic
incoming or outgoing of the phone? Like a super sniffer app for TCP, SMS,
3G/4G data.

------
steven777400
This reminds me of the Nokia HTTPS proxy incident.

------
Mordor
Samsung must be rubbing their hands with glee :-)

~~~
lostlogin
No one except Apple and Samsung make any money out of cell phones.The glee
started a while back. [http://tech.fortune.cnn.com/2013/05/07/apple-samsung-
profits...](http://tech.fortune.cnn.com/2013/05/07/apple-samsung-profits-
canaccord/)

------
drcube
Everyone should immediately install CyanogenMod upon booting up their Android
phone.

Spyware like this is depressingly universal among carriers.

------
D9u
I believe that the keyword here is "ActiveSync," which is another Microsoft
product.

Since I made a conscious effort (years ago) to remove all Microsoft products
from my life, ActiveSync is another app which I have never used.

Who needs it?

~~~
wfraser
Did you even read the article? It has nothing to do with EAS or Microsoft;
it's Motorola software siphoning pretty much _all_ the user's credentials off
to Motorola servers.

~~~
D9u
Yes, I did read the article in its entirety. Did you? The author mentions
ActiveSync more than once.

    
    
        *" What I am going to do as a result of this discovery
    
        As of 23 June 2013, I've removed my ActiveSync configuration from the phone, because I can't guarantee that proprietary corporate information isn't being funneled through Motorola's servers. I know that some information (like the name of our ActiveSync server, our domain name, and a few examples of our account-naming conventions) is, but I don't have time to exhaustively test to see what else is being sent their way, or to do that every time the phone updates its configuration.
        I've also deleted the IMAP configuration that connected to my personal email, and have installed K-9 Mail as a temporary workaround.
        I'm going to figure out how to root this phone and install a "clean" version of Android. That will mean I can't use ActiveSync (my employer doesn't allow rooted phones to connect), which means a major reason I use my phone will disappear, but better that than risk sending their data to Motorola.
        I'll assume that other manufacturers and carriers have their own equivalent of this - recall the Carrier IQ revelation from 2011."*
    
    

ActiveSync is not only used for "Exchange Server" connections.

Judging by your past comments, you are merely another Microsoft shill who
believes that they can do no wrong...

~~~
D9u
To beat a dead horse, regardless of the opinions of the mindless:

[from the article]

    
    
        *" I was quickly able to determine that the connections to Motorola were triggered every time I updated the ActiveSync configuration on my phone, and that the unencrypted HTTP traffic contained the following data:
    
        The DNS name of the ActiveSync server (only sent when the configuration is first created).
        The domain name and user ID I specified for authentication.
        The full email address of the account.
        The name of the connection.
    
        As I looked through more of the proxy history, I could see less-frequent connections in which larger chunks of data were sent - for example, a list of all the application shortcuts and widgets on my phone's home screen(s)."*
    
    

Would someone please illuminate me as to why my reference to ActiveSync is
alleged to be irrelevant to this conversation?

~~~
bskap
The author originally noticed the snooping because he happened to be examining
the phone's traffic when the ActiveSync credentials were sent. If you actually
read the entire article, you'll notice that credentials were sent for
Exchange, Facebook, Twitter, Photobucket, Picasa, YouTube, IMAP, POP, Yahoo
Mail, and Flickr. Of those, the Microsoft and Yahoo services are the only ones
where passwords are NOT sent, meaning you leak less data using ActiveSync than
you do using IMAP.

~~~
D9u
So what is the name of the software which is sending the information, if it's
not ActiveSync?

~~~
jacalata
Motoblur.

