You know the NSA is "listening," nabbing Verizon customers' cell phone metadata, but did you know that Motorola is listening too? A security engineer with a Motorola Droid X2 smartphone discovered that Motorola is silently slurping up personal info like passwords, GPS data from photos, email addresses, and usernames to name but a few. His phone is checking in with Motorola every nine minutes. Even worse, the data is often sent over an unencrypted HTTP channel. As a Slashdot comment stated, "The NSA would like to thank Motorola for their cooperation."
This all started when Ben Lincoln wrote about this new disturbing discovery on Beneath the Waves:
In June of 2013, I made an interesting discovery about the Android phone (a Motorola Droid X2) which I was using at the time: it was silently sending a considerable amount of sensitive information to Motorola, and to compound the problem, a great deal of it was over an unencrypted HTTP channel.
Motorola's software is "responsible for the personal and configuration data being sent to Motorola," Lincoln explained. In fact, Motorola is siphoning social networking account data and capturing usernames and passwords for Facebook, Twitter, YouTube, Picasa and Photobucket. After signing into Facebook or Twitter, Lincoln warns:
Most subsequent connectivity to both services (other than downloading images) is proxied through Motorola's system on the internet using unencrypted HTTP, so Motorola and anyone running a network capture can easily see who your friends/contacts are (including your friends'email addresses), what posts you're reading and writing, and so on. They'll also get a list of which images you're viewing, even though the actual image download comes directly from the source.
Lincoln also discusses Flickr, Yahoo mail, IMAP/POP3, and data collected for Exchange ActiveSync and RSS feeds. In fact, every nine minutes his phone sends detailed descriptions of the home screen configuration — including shortcuts and widgets. "There is literally no reason I can think of that I would want my phone to check in with Motorola every nine minutes to see if Motorola has any new instructions for it to execute," he added.
If you're still unsure why I think this is a problem, ask yourself this: if you bought a desktop PC running Windows, then discovered two years later that the hardware manufacturer had installed modified versions of standard Windows software like Outlook Express and Internet Explorer which - without any indication to the user - sent your passwords to, and routed other traffic through servers owned by the PC manufacturer instead of connecting directly to the actual websites and mail servers, would you be OK with it? If not, then why are you when it's a phone instead of a desktop PC?
Sign up for Computerworld eNewsletters.