Forgot your password?
typodupeerror
Cellphones Privacy

Motorola Is Listening 287

Posted by Soulskill
from the knows-when-you've-been-bad-or-good-but-doesn't-bring-you-presents dept.
New submitter pbritt writes "Ben Lincoln was hooking up to Microsoft ActiveSync at work when he 'made an interesting discovery about the Android phone (a Motorola Droid X2) which [he] was using at the time: it was silently sending a considerable amount of sensitive information to Motorola, and to compound the problem, a great deal of it was over an unencrypted HTTP channel.' He found that photos, passwords, and even data about his home screen config were being sent regularly to Motorola's servers. He has screenshots showing much of the data transmission."
This discussion has been archived. No new comments can be posted.

Motorola Is Listening

Comments Filter:
  • by msauve (701917) on Tuesday July 02, 2013 @01:36PM (#44167959)
    The NSA would like to thank Motorola for their cooperation.
    • Re: (Score:2, Interesting)

      by Anonymous Coward

      The NSA would like to thank Motorola .

      Motorola (cell) in now owned by Google. Shouldn't that be "...would like to thank Google"? Pretty much use to Google doing these kind of shenanigans but I can't help feel that on Slashdot we need to be careful about linking Google and Android to bad things. Only Apple does such things (except it doesn't...the GPS tracking frenzy was a lot of gnashing of teeth for nothing). Remember Apple sells me a device, Google sells me.

    • by erroneus (253617) on Tuesday July 02, 2013 @01:48PM (#44168125) Homepage

      You can RELOAD the device's OS with custom ROMs that don't do this crap. If it was discovered Apple does this (and who's to say they don't) what choice have you? And Windows phone? Don't even start.

      Part of the reality of "security" is taking responsibility for your own. Security is not a product you can buy. It's not something that other people can do for you (because that's tyranny). It's a personal responsibility and it takes knowledge and understanding to do. Tough luck to all those people who have neither the inclination nor the ability to learn.

      • by sir-gold (949031)

        You can't reload with a custom rom if the phone uses a signed bootloader (which motorola is notorious for doing), or in the case of the article's author, you are "banned" from doing so by your employer (his employer bans rooted phones from accessing active sync)

        • by h4rr4r (612664) on Tuesday July 02, 2013 @02:01PM (#44168319)

          You can have a custom rom that is not rooted.
          I do.

          Why do people confuse these?

          • by msauve (701917)
            People confuse unlocked bootloaders with rooted phones because they're closely related in practice. What's your excuse for calling software which can be loaded onto flash memory a "rom" (Read Only Memory)?
        • by rtkluttz (244325) on Tuesday July 02, 2013 @02:02PM (#44168331) Homepage

          We only use rooted phones running Cyanogenmod 10.1 in our environment. We have a fleet of about 50 smart phones and all of them but about 4 are Google Galaxy Nexus phones. We don't consider anything that we don't control to be secure.

          • Is that your recommended phone? If one were going to ditch an iPhone for something running Cyanogenmod today, which phone would you choose?

            • Re: (Score:3, Interesting)

              Your best bet for installing custom firmware is almost always going to be the current Google dev-phone (previously the Galaxy Nexus, currently the Nexus 4 IIRC) The phone is directly supported by Google and has an unlockable bootloader, no tricky hacks required.

              • Pedantic point: the Galaxy Nexus I got from Verizon did not come with an unlocked bootloader. It was trivial to unlock it, though. Perhaps you meant phones purchased directly from Google?

                Also, my reply to the parent's question of best ROM (there are limitless opinions about this, so this is nothing more than my own): JBSourcery ROM is my favorite, mainly because of JBSourcery Tools. There's nothing there you can't do with other ROMs... they just make it really easy to do things like drop in alternate ker

      • by Anonymous Coward

        Motorola signs/encrypts the kernel. This massively hampers any attempt to load a new ROM, because the kernel remains constant thereafter. Any low level API changes etc are impossible to support except in software at a much higher layer in the stack

      • by SuperKendall (25149) on Tuesday July 02, 2013 @02:06PM (#44168379)

        If it was discovered Apple does this (and who's to say they don't)

        We know they don't because there are many hundreds of millions of people using Apple devices now, and lots of developers using network proxy monitoring tools in development that see all network traffic from the devices to boot.

        Basically if Apple were doing this we would have known long ago, and there would be no shortage of people to shout about it continuously on Slashdot and elsewhere.

        • by h4rr4r (612664)

          Or it sends it to the store when you browse. Assuming that is all encrypted you would never know.

      • by ebno-10db (1459097) on Tuesday July 02, 2013 @03:05PM (#44169155)

        Part of the reality of "security" is taking responsibility for your own.

        The only way to get real security and privacy with a cell phone is not to have one. A bonus is that implementation of that strategy requires no special technical knowledge.

      • by gnasher719 (869701) on Tuesday July 02, 2013 @04:07PM (#44169845)

        You can RELOAD the device's OS with custom ROMs that don't do this crap. If it was discovered Apple does this (and who's to say they don't) what choice have you? And Windows phone? Don't even start.

        So there is a massive _actual_ privacy violation by Google (who owns Motorola and is 100% responsible for anything that happens under the name Motorola), and you complain about what-ifs with Apple and Microsoft?

        Remember that Google's customers are the advertisers. Apple's customers are people buying Apple devices. I expect both Google and Apple to do what is good for their customers, even if it hurts others (like _you_ in the case of Google, and advertisers in the case of Apple).

    • Re:Don't you know... (Score:5, Informative)

      by Joce640k (829181) on Tuesday July 02, 2013 @01:55PM (#44168227) Homepage

      I think it might be this: https://en.wikipedia.org/wiki/Motoblur [wikipedia.org]

      Lots of phones/providers sync your personal data for you in case you lose your phone.

      (And I'm sure there's an option somewhere to turn it off, although you never know with big corporations...)

      • by h4rr4r (612664)

        Yup. This is just that POS.

        Why anyone would want a phone like this I will never know.

        • Re:Don't you know... (Score:5, Interesting)

          by Joce640k (829181) on Tuesday July 02, 2013 @02:35PM (#44168775) Homepage

          TFA has just been updated saying it's MotoBlur with an automatically created Blur ID - it doesn't even ask you to create an account any more

          I guess that was Motorola's way of "removing" MotoBlur from phones - remove the account creation UI, generate the account secretly without any prompting.

          Whatever, Motorola deserves to be bankrupted over this. If I was a class-action lawyer I'd be getting in touch with this guy right now.

          • by Xest (935314)

            Well Google own Motorola now, are we sure this isn't just the Android Sync integration? If it is then it does ask you when you set the device up first time.

            You'll have to excuse me in suspecting that if the author of TFA didn't realise it was a sync tool that he also is inept enough to not realise he actually signed up to it when he first got the device.

      • by TheCarp (96830) <sjc&carpanet,net> on Tuesday July 02, 2013 @02:16PM (#44168505) Homepage

        Sigh.... they makes me more disappointed than mad, and reminds me of the phrase "The road to hell is paved with good intentions".

        They want easy sync, they want it so they can restore user data and save people's bacon whose phone gets destroyed or lost. Awesome, great intention. However, http? No SSL? Come on guys! At LEAST encrypt the data in flight!

        In reality, they should encrypt it at rest too, and have the user at least submit some sort of password or something so its not just.... gobs of juicy data waiting to be sniffed or scooped. Realistically this means everyone who had one of these phones, with few exceptions, have their data, out of their control, just waiting to be abused.

        • by blincoln (592401)

          I would be fine with what you're describing as an option, because that would mean I could turn it off. As far as I can tell, there is no way to truly disable this "feature" other than installing a different version of Android on the device. Maybe other Motorola phones have that option somewhere, but I am reasonably sure this one doesn't.

          • by jythie (914043) on Tuesday July 02, 2013 @04:00PM (#44169767)
            The downside of making it easy to turn things off is that people do, and then something goes wrong, and then they complain the recovery did not work, and you point out it was disabled, and they claim they never disabled it, and then they tell all their friends how much your company has screwed them with your buggy device that mysteriously switched off the useful feature they never heard of but got pissed about not being there.

            I agree it should be an option, but I can sympathize with companies not wanting to deal with that expletive. People who do stupid things rarely blame themselves, but they are happy to blame others loudly in public where it can hurt your brand.
        • It seems to me that the first form of abuse should be a user providing bogus data to moto. If it's HTTP, and the credentials to upload are available (unencrypted, so they should be), then this is a "service" ready to be abused.

          Time to send moto some seriously disturbing things that will skew the results of whatever research they're doing toward the odd and completely wrong.

      • by AdamWill (604569) on Tuesday July 02, 2013 @03:12PM (#44169239) Homepage

        You could try reading the article.

        It does appear to be part of Blur, yes.

        Only the X2 was not sold as a phone with Blur, it does not have the obvious UI elements. And the author never explicitly signed up for the Blur service or created an account. The phone appears to have silently created a Blur account for him and proceeded to send a bunch of private information to the service, all without his knowledge or consent. How helpful.

  • by Anonymous Coward on Tuesday July 02, 2013 @01:39PM (#44167993)

    "A company that listens to its users"

    • by squiggleslash (241428) on Tuesday July 02, 2013 @02:41PM (#44168853) Homepage Journal

      I don't see what the problem is. The information is comprised of basic GPS, microphone audio, and phone radio data that's very obviously being collected purely for debugging and diagnostic reasons. From the article*:

      The phone collects the information, storing it in a file called "/media/.NSAquiredData" until it can be transmitted to the Motorola server at bmailvctms.gomoto.com, and comprises of the following:

      * Number of dropped calls in the last 24 hours.
      * Location data, sampled at 5am, 11am, and 6pm
      * Location type of above (eg residential, business)
      * If the location at 5am != 6pm, and 5am and 6pm are both residential locations, and 11am is a business, then:
      - Whether 6pm is associated with a phone number that is frequently called but not marked "HOME", "FAMILY", or "WIFE"
      - Whether a random, five minute, audio sample taken between 6pm and 6.30pm matches patterns marked "KISS", "WORD_LOVE", or "WHIP"
      - Whether that audio sample contains both male and female voices, and whether, upon analysing a similar sample taken at 9.30pm, one voice matches but another voice does not.
      * The date and time and location of any dropped calls
      * The temperature of the phone at the time the calls were dropped
      * The status of the humidity sensors at the time of any dropped calls

      Seems perfectly reasonable to me.

      * No, not that article, the other one.

      • by pnutjam (523990)
        This is why I am so amused when people say your phone will be your wallet in the future.

        Who the hell trusts their phone company? Now I can add who trusts their phone manufacturer? Not that I really trust my bank that much either...
  • by evil_aaronm (671521) on Tuesday July 02, 2013 @01:39PM (#44167999)
    It's all for "improved customer experience." If they know to whom you're talking, or what pictures you're taking, or what documents you're reading or writing, or where you are at any given moment, they can better tailor their services to fit your needs. I'm surprised this isn't patently obvious. /snark
    • by NEDHead (1651195) on Tuesday July 02, 2013 @01:56PM (#44168247)

      Patent? Did someone say Patent? What a great idea!

    • If they know to whom you're talking, or what pictures you're taking, or what documents you're reading or writing, or where you are at any given moment

      Well, I'll be sure to give them something to look at. Since this is plain HTTP, technically I can send them anything if I know the right URLs. So they'll see me talking to the presidents of various countries (some friendly, some not), taking pictures of goatse, reading leaked classified documents, visiting motorolasucks.com, and visiting various locations around the north and south poles, North Korea, and Motorola HQ.

      Mix in enough chaff and it's harder to separate the real data. Too bad the article doesn't

      • by dissy (172727)

        Too bad the article doesn't list the URLs

        Yea, shame. The article only lists a bunch of thingies that all start with: ws-cloud112-blur.svcmot.com:443/blur-services-1.0/ws/

        Too bad that isn't a URL :(

  • by tomkost (944194) on Tuesday July 02, 2013 @01:39PM (#44168007)
    It seems every device, every internet service, basically every communication node that we use has been turned into something that is beyond George Orwell's worst nightmare. As long as there is continued complacency on the part of people using this technology, the invasion of privacy will continue to grow. This of course assumes that it could get much worse. The only options at this point are to stop or drastically reduce using these networks while we attempt to build our own.
    • Re: (Score:3, Insightful)

      by Lumpy (12016)

      "It seems every device, every internet service, basically every communication node that we use has been turned into something that is beyond George Orwell's worst nightmare."

      Yes, if you use commercial easy to use toasters like a phone with stock android, iOS, Windows, OSX, etc on it... You are correct.

      If you want privacy and control. Run linix or one of the hacked and cleaned Android releases.

  • by jader3rd (2222716)
    This is just Google collecting all of the worlds data, just like they said they were doing to do.
    • by swillden (191260) <shawn-ds@willden.org> on Tuesday July 02, 2013 @01:55PM (#44168221) Homepage Journal

      This is just Google collecting all of the worlds data, just like they said they were doing to do.

      The Droid X2 was released on May 11, 2011. Google announced their intention to acquire Motorola Mobility on August 15, 2011, and completed the acquisition on May 22, 2012.

      • This is just Google collecting all of the worlds data, just like they said they were doing to do.

        The Droid X2 was released on May 11, 2011. Google announced their intention to acquire Motorola Mobility on August 15, 2011, and completed the acquisition on May 22, 2012.

        The Droid X2 runs Android which is made by Google. Any servers Motorola runs today are most likely managed by Google now.

  • Motorola's future press release will contain something along the line of "It was mistake!?"
  • by 93 Escort Wagon (326346) on Tuesday July 02, 2013 @01:42PM (#44168047)

    I know, that sounds like the lead-in to a joke - but not this time.

    In the US, anyway, Congress established quite some time ago that companies had more rights to our personal information than most of us would want them to have. So it's not surprising when we find out the NSA (or whoever) has carte blanche to our information - and also that Congress doesn't grok why we get upset about it.

    Europeans ostensibly have much stronger protections in this regard; but it seems to me there's a lot of "wink, wink, nudge nudge" going on over there, and those "protections" are mainly in place so their officials can posture indignantly whenever news like this comes out. In practice I don't think there's much of a difference on either side of the Atlantic.

    So what's the big deal about yet another large entity slurping our personal information? Whether they're public or private - according to the folks elected to represent us, we shouldn't be upset about it...

    • by rsborg (111459)

      Perhaps the government is to blame, but if I had a Moto phone, I could be liable for the security breach if I worked at a secure company location. If I were a responsible IT manager at one of those companies, I'd be pretty pissed about this.

      You can't sue the government for Motorola's ineptitude, but you can sue Motorola. I hope someone does just that, and slaps down this culture of snooping and ineptitude that could ruin careers and lives.

    • by dkleinsc (563838)

      and also that Congress doesn't grok why we get upset about it.

      Oh, Congress knows we're upset about it, and understands why we're upset, but about 3/4 of them don't care. There are a few major reasons for this:
      (1) The only major campaign donors who care about it support the surveillance. That means that doing the will of the people will incur a financial penalty and no financial gain.

      (2) Because both major parties basically agree that this kind of thing is at the very least not a problem, there's no threat of the other party fielding an effective candidate that will ca

    • We are correct to blame the government. It's the job of businesses to get away with as much as possible. It's the government's job to keep them in check. If they aren't doing their job we have a system in place to peacefully show them the door.

    • by epine (68316) on Tuesday July 02, 2013 @03:55PM (#44169727)

      I watched a Bill Maher video yesterday in which a conservative politician who clearly believed that cleanliness (and short hair) is next to godliness claimed to believe in "adaptation" but not a certain fish story when confronted by a historically unelectable Canadian politician about whether he believed in antibiotic resistance (in which the evolution of the resistance trait was greatly accelerated by careless overuse).

      I actually cut the guy some slack. There's no reason why he can't logically believe in the special theory of evolution (local adaptation) without necessarily believing in the general theory of evolution (the ascent of complexity from primordial origins). To believe in one without the other requires a larger than average mental judgement in between. Unfortunately, he lamely fell back on invoking the missing link. Bzzzzt. Thanks for playing.

      Clearly he hasn't checked in with the Out of Africa theory lately, which was speculative until we began to read DNA in the early 1980s with all the proficiency of a clever three year old. Right now we're at about year two of a ten year post-graduate program in speed reading for lifeforms with facet eyes. Things have changed. If there were any region of the globe over the past 10,000 years (or 100,000 years) where the genetic lineage of any species of quadruped (Noah being the patron saint of charismatic megafauna) is constricted to a single breeding pair, we'll surely find it soon on the rising flood of sequence data. Dude groomed for rapture should be worrying about the missing crink, not the missing link.

      I can't say I have a higher opinion of "blame the government". It's like blaming calcium for arthritis, on the grounds that sans calcium, arthritis as we know it would no longer exist. The problem here is that calcium is just the implementation. The specification is to have a load bearing structure nimble enough to evade and pursue (aka biosecurity). A large branch of the solution space descends from elbows and kneecaps.

      One of the major functions of a large population is agreeing on the threat enough to achieve cohesion in the threat response. This is mirrored in the organism by how the fight/flight response is balanced on a knife edge, and how the hormones that prime this metabolic state also tamps down immune response. Guess what, libertarians, that's a centralized response.

      You can discard the implementation (government as we know it), but you can't discard the specification. Unfortunately, contrary to the most vociferous howls, the problems are actually rooted in the specification, not the implementation.

      Just like replacing an aging software system, while it's absolutely certain that the worst points of friction in the existing system will go away, new points of friction are extremely likely to take their place, unless you stumble upon the "silver bullet" solution paradigm (social media won't let you down). I tend to be fairly reluctant to stick up my hand when a surgeon promises to cure my arthritic knee by lopping off my leg and grafting on a tentacle to replace it. I worry that might bring with it new problems every bit as annoying as the previous problem.

      The present state of the NSA and the legislation around it is pretty much an unbroken story since the end of the first world war. (The Germans did not invent Enigma on a fall afternoon in 1939.) I vaguely recall reading in the The Puzzle Palace (or something similar from the same era) that before the U.S. government passes a law preventing secret agencies from spying on American citizens there was already a secret law on the books exempted a certain no such agency from being beholden to any such future law.

      Democracy it turns out is a lot like the human immune system. It shuts down on a dime in the presence of an acute threat, as defined by the pulsed secretion of some small gland. Once you get to the place where the small gland sees a lion in every box of Cracker Jack, democracy is reduced to vestigial status, until

  • It's motoblur... (Score:2, Informative)

    by Anonymous Coward

    It's a server side social service from motorola,see http://en.wikipedia.org/wiki/Motoblur

    • by Tr3vin (1220548)
      It sure is. He says that it supposedly isn't and is basically stock Android, but after quickly looking at a review of the device it is running some form of Motoblur. It might not be as bad as other Motorola devices were but it is definitely not stock.
    • It's a server side social service from motorola,see http://en.wikipedia.org/wiki/Motoblur [wikipedia.org]

      Did you see the part of TFA where the user was given no indication that 'motoblur' was active, and the phone was using randomly generated 'motoblur' credentials because it had never even prompted him to create any?

      • by vux984 (928602)

        Its a "feature"

        From wikipedia:

        First generation Motoblur-based phones require a new user to create a Motoblur account, denying access to the main screen until the account is established. User account information is stored on Motorola's servers for access from web browsers and future phones. Newer devices allowed users to defer Blur services until a later registration

        Presumably, once you got around to making a motoblur account it would like to the "temporary one".

        Apparently it didn't occur to motorola that s

  • I'm sure they feel they can write anything they want in an EULA, but I can't see how this is legal.

    This is actively taking your data for their own purposes, and should be something with criminal penalties.

    And Google recently added terms to the permission for the Android keyboard update which wants more access to your personal information -- forcing me to conclude that any device you buy these days is actively working against you, and is best kept in airplane mode as much as possible.

    You don't own and contro

  • This is why you run stock android, or one you built yourself not some blur BS.

    • by gstoddart (321705)

      This is why you run stock android, or one you built yourself not some blur BS.

      Yeah, and then the only company you need to worry about not trusting is Google.

      Unfortunately, even on a stock Nexus tablet, Google pushes very hard to force you to use their stuff, and actually signed me up for a You Tube account when I launched the app, even though I don't want a You Tube account and never got asked.

      I'm pretty sure we're screwed no matter what we run these days.

  • Achievement Unlocked (Score:5, Informative)

    by blincoln (592401) on Tuesday July 02, 2013 @01:51PM (#44168163) Homepage Journal

    "An article you wrote for your personal website has appeared on the main page of both Slashdot and Hacker News, and you were not the submitter in either case."

    I haven't logged onto this account in ages, but if anyone has any questions, I'd be happy to try to answer them.

    • Re: (Score:2, Troll)

      Why don't pretty girls like me?
    • What is the most straightforward way to monitor, analyze, and sandbox attempted network activity on a per-device basis on all three major OSes?
      • by blincoln (592401) on Tuesday July 02, 2013 @02:38PM (#44168821) Homepage Journal

        In the absence of a better answer, I would go with the model I used for this testing:
        Build a Linux system that acts as the sole gateway between your internal network and the internet (whatever means you are using to connect to the internet). Set it up with an intercepting proxy like Burp Suite or OWASP ZAP, and install the signing cert on your devices. Configure all of your devices to proxy HTTP and HTTPS traffic through that intercepting proxy. This will let you see nearly all HTTP and HTTPS traffic, and optionally to modify that traffic as it passes through.
        That system can either just be a gateway for some other device (e.g. your wireless router), or you can set it up to perform the DHCP and other functions for the other devices on your network.
        It would probably also be helpful to set it up as the DNS server so that if you end up needing to look at something that requires spoofing DNS, you're all set.

        Mode 1 - for everyday use:
        Use iptables to forward all traffic from the internal interface to the external interface.
        Run network captures to see traffic patterns and anything that is unencrypted which is not going through the intercepting proxy.
        When you see something interesting that is non-HTTPS (e.g. via a network capture) but is encrypted, temporarily switch to Mode 2, or if necessary (like it was in the case of the XMPP traffic here) selectively forward it (again, using iptables) to a custom MitM proxy.

        Mode 2 - for special cases:
        Run Mallory on the gateway instead of the regular iptables forward.
        This is only for special cases because Mallory will impose a noticeable slowdown.

        I'm working on a ground-up build doc for this type of system that will go into a lot more detail. It can be run in VirtualBox or another virtualization platform.

        The only thing it may not do is the sandboxing requirement you listed, depending on what you're hoping for. It's also not super-straightforward (especially Mallory and any custom MitM stuff you need to do), but it's a lot easier than it used to be, especially since the intercepting HTTP/HTTPS proxy takes care of nearly all of the traffic these days.

    • What's your take on this thread on Hacker News where the commenter tried to cast complete blame on Microsoft for this? Is he right?

      https://news.ycombinator.com/item?id=5974130 [ycombinator.com]

  • So maybe Apple or Motorola or someone do have a copy of the infamous Rob Ford Smoking Crack video in their archives.

  • by Bearhouse (1034238) on Tuesday July 02, 2013 @02:08PM (#44168409)

    What is this crap, and why do they always get it wrong?

    Yes, I do want to seamlessly sync my mail, sms and contacts across my devices.
    Except none of the solutions proposed really do that well...
    (Or maybe I'm not typical, having multiple PCs and mobile devices, including iOS and Android?)

    Photos too? Hell, why not. Picasa from Google used to be OK...

    But now, after the "success" of FB, it seems that you can't have simple sync solution anymore; everybody is pushing unwanted, privacy-leaking, "social" features down our throats.

    Just please fucking stop!

    • Re: (Score:3, Funny)

      by Anonymous Coward

      5 of your friends read this post. Blink some time within the next 30 seconds to read what they think!

  • https://whispersystems.org/ [whispersystems.org]
    Moxie Marlinspike sends his regards.
  • The Burp Suite used by the investigator is a Java tool with a non-FOSS license [portswigger.net]. Blah.

  • by jdc (17517) on Tuesday July 02, 2013 @02:45PM (#44168907) Homepage Journal

    I'm wondering if I get charged for this?

  • by omnichad (1198475) on Tuesday July 02, 2013 @02:51PM (#44168965) Homepage

    It's a good thing that everyone's on unlimited data plans in the U.S.

  • If I was a criminal I'd be investing in HPT. Homing Pigeon Technology. Which the NSA will have to counter with trained hawk no doubt.

Swap read error. You lose your mind.

Working...