Motorola cell phones are regularly phoning home

Motorola cell phones are regularly phoning home(beneaththewaves.net)

483 points by freejoe76 12 years ago | 112 comments

adrinavarro 12 years ago |

This seems related to Motorola's MOTOBLUR system: http://en.wikipedia.org/wiki/Motoblur

In all fairness, it seems that the implementation uses a middle server (pretty common in big companies where good engineering isn't a requirement) where log in data is sent, is stored in the users' profile and where timelines and other content is parsed before being sent back to the user's device, in a "dumb" format that the BLUR system can understand.

Nokia has a bit of the same for their low-end phones (understandably) and BlackBerry used to do much of the same. Yet, in those days, and in an Android phone that can easily connect to social networks on its own, this seems like a very unfortunate techncial decision.

In other words: the official Gmail app, Twitter or Facebook apps are unlikely to be "compromised".

speeder 12 years ago | |

A post now on HN from a forum argument of Jan 2012 has a employee stating that ALL motorola phones use Motoblur, except those hat are not Motoblur use a automatically created login for you instead... So it is still a bad thing...

EDIT: submission I am refering to: https://news.ycombinator.com/item?id=5975598

sivanmz 12 years ago | |

While the value of Motoblur has been questionable and the service is no longer a focus for Motorola, it makes sense to do this server side.

One connection that pushes aggregated social networking data saves the need for a multitude of apps constantly polling or keeping their own open commections to various services.

BlackBerry also provided similar services as part of their BIS plan. It would poll Gmail and Exchange servers from its own servers, and push compressed data to the device.

Also, remember that these services existed at a time of slow networks and devices and a lack of support for it from Google. At the present, it's becoming increasingly clear that only few companies have the expertise and trust to do this securely. Motorola is probably not one of them.

skue 12 years ago | |

The article has been updated to point out that this model does not use to MotoBlur interface. Apparently having (what looked like) a mostly stock Android interface was an important buying consideration.

adrinavarro 12 years ago | | |

I have my doubts. It never stated when it sent the passwords. Maybe it hasn't the UI overlay, but the social apps seem to be closely related to MOTOBLUR.

magicalist 12 years ago | |

Ah, thank you. This post was really confusing, having never really used a motorola phone. The post never actually specified how those passwords were being used, just what service they came from and what was being sent. For most of those apps there shouldn't be any (non-exploit) way to get your credentials out to then send them in the clear.

antoncohen 12 years ago |

I noticed that my Droid 4 running 4.1.2 was opening an XMPP connection to Motorola servers a month ago. I was watching the logs trying to diagnose another problem, and the XMPP connection happened to be failing at the time. The XMPP connection is no longer failing.

    D/CheckinProvider(  507): insertEvents Process tag not allowed: XMPPConnection
    I/XMPPConnection(  772): Preparing to connect user XXXXXXXXXXX to service:
        jabber1.cloud2.sdc100.blurdev.com on host: jabber-cloud2-sdc100.blurdev.com and port: 5222
    E/PacketReader(  772): 	at org.jivesoftware.smack.PacketReader.parseXMPPPacket(PacketReader.java:503)
    D/CheckinProvider(  507): insertEvents Process tag not allowed: XMPPConnection
    I/XMPPConnection(  772): Shutting down connection for user XXXXXXXXXXX to host jabber-cloud2-sdc100.blurdev.com
    W/System.err(  772): 	at org.jivesoftware.smack.PacketReader.parseXMPPPacket(PacketReader.java:503)
    E/XMPPConnectionManager(  772): Failed to connect user 'XXXXXXXXXXX' to host 
        'jabber-cloud2-sdc100.blurdev.com on port 5222: Connection failed. No response from server.:

speeder 12 years ago |

Since lots of this data is sent through not encrypted HTTP, this means that NSA (and any other intelligence agency) can also get all this data...

Then people wonder the "nothing to hide" well, you might not, but will everyone you know be bothered you are sending their e-mails around to intelligence agencies?

lawnchair_larry 12 years ago | |

Who cares about the NSA when all of your logins and passwords are literally being stolen and are sitting on Motorola servers in plaintext. This is extremely egregious, and I'm expecting there will be some major fines from the FCC. How can they be this dumb?

I guess since Google bought them, this is their disaster now.

cmircea 12 years ago | |

What if you DO have something to hide? Company secrets can be very, very valuable for someone.

corresation 12 years ago | | |

This is where modern intelligence is going. We know that one of the most common targets of Chinese intelligence gathering now is industrial espionage -- stealing trade secrets. I hardly think China is alone in this, and if the NSA or anyone else can get a heads-up that advantages US firms against Chinese, Canadian, or EU firms, you can bet your ass that is going to be communicated to the necessary people.

From a "hacker" perspective, even metadata on the key employees of a corporation is incredibly valuable -- imagine knowing with what firms a company is communicating, giving inside lines of investment-impacting activities like acquisitions. This is enormously valuable stuff.

javert 12 years ago | | |

Use encryption all the time, and don't use any Microsoft products. All companies that have valuable secrets should already have this policy in place.

ealexhudson 12 years ago | |

Given Motorola are now owned by the same Google that participates in the PRISM programme (et al), I'm really not sure the encryption matters so much.

dserodio 12 years ago | | |

With unencrypted communication, any insecure Wifi network is enough to "leak" your information, it's much worse then "only" Google/NSA/etc having access to it.

speeder 12 years ago | | |

Good point, I had forgotten that.

jsz0 12 years ago | |

For most people the bigger threat is going to come from the wifi networks they connect to at work, school, coffee shops, etc. If I owned a Motorola SmartPhone I would stop using wifi on untrusted & semi-trusted networks immediately.

javert 12 years ago |

Wait, am I understanding correctly that your Facebook password (for example) is being shared with Motorola?

lawnchair_larry 12 years ago | |

Yes, they're taking all of your logins and passwords, including your Google account, and their back end servers are even occasionally logging in with them.

"Also interestingly, while testing Picasa and/or Youtube integration, Motorola's methods of authenticating actually tripped Google's suspicious activity alarm. Looking up the source IP in ARIN confirmed the connection was coming from Motorola."

bigiain 12 years ago | | |

That strikes me as curious - given that Google owns Motorola. I wonder if Facebook's "We detected a login into your account from an unrecognised device" thing gets triggered by this (and if not, is that because Motorola are for some reason attempting to log in to Picasa/YouTube with your credentials but not to Facebook, or whether Facebook are "filtering out" notifications from Motorola's ip addresses?).

gnur 12 years ago | | |

Only when you are using the motoblur versions of those packages. Setting up a Google Account through the initial setup won't send the info to moto, setting up any account in your stock-homescreen for widgets will send your information to moto.

mike-cardwell 12 years ago | |

Yes. Shared with, compromised by, whatever you want to call it.

bigiain 12 years ago | | |

Could we settle on "stolen"?

dendory 12 years ago |

If true, it's surprising that it took so long for someone to find this. Isn't it trivial to check on what your phone is sending off if you use wifi with a network scanner?

With that said I bet this is all for their social networking integration, some engineer thinking it would be cool for them to aggregate all your social data in the cloud, with no concept of the privacy implications.

lawnchair_larry 12 years ago | |

Apparently others have reported concerns as early as 2011:

https://forums.motorola.com/posts/64e9971ab3

Amazing that they've been doing it for so long.

oceanstone 12 years ago | | |

The phone from the OP article was released in June of 2011.

noselasd 12 years ago | |

One of the first things I did. I found HTC Desire always goes and grab http://xtra3.gpsonextra.net/xtra.bin on boot up. Couldn't find anything else "suspicious" though.

teeja 12 years ago |

Why did it take someone 2 years to spot this????? Doesn't anybody care to watch what's going in/out of their appliances any more?

Furthermore, if this report is true: why aren't there more tools out there so that there are more eyes watching this stuff? Or is everyone just too busy being "social" ??

antocv 12 years ago | |

Not a lot of people know how or have the time to setup sniffers for their appliances and then go through the logs. Maybe like 0.001% can do that.

How would you sniff your device? WiFi and let your router do the thing? It wouldnt be difficult for your phone to stop suspicious activity when WiFi or VPN is turned on.

How do you sniff 3G? Can you sniff GPRS/GSM for any suspicious activity? Now we're talking 0.000000001%.

antocv 12 years ago | | |

Ahem, not to sound like a pessimist.

Android 4.x has vpn, so one way to sniff data is to setup openvpn and on your server tcpdump or wireshark everything.

To sniff 3G/GSM I believe one would have to root their phone and sniff it there as most people dont have 3G/GSM hardware. I dont know more about that, perhaps its as "easy" as rooting it and running tcpdump on the device and saving to sd-card from some of its interfaces?

shenberg 12 years ago |

Small nit to pick: IMSI + IMEI aren't enough to clone your phone - the SIM card stores a shared secret used for challenge-response authentication with the network, and the device (theoretically) can't read the secret, only send the SIM a challenge and get the response to send to the network.

doki_pen 12 years ago | |

The article is about a CDMA phone from Verizon.

qwerta 12 years ago |

I thought this is well know information. Motoblur always restores your accounts with passwords after factory reset. It is not even possible to start phone without logging in to your Motoblur account.

Anyway Cyanogen solved problem on my Defy.

smegel 12 years ago |

Isn't that the whole point of the Blur service...it logs into all these social services and combines them to produce a unified presentation? How else could it work?

bdcravens 12 years ago | |

Via the APIs each social service provides. They'd need only an oAuth token provided via your authentication, NOT full credentials. Worst case scenario, store the credentials on the device and authentication against each provider. There's no reason to ever send those credentials to a third party like Motorola.

BHSPitMonkey 12 years ago | |

By using these services' APIs instead of holding onto your credentials?

gohrt 12 years ago | | |

Yodlee, the worldwide banking network, happily stores millions of people's BANK ACCOUNT passwords, with no interest in using a secure Auth API, and nearly no one cares.

Why should Blur care about keeping your FB credentials private?

magicalist 12 years ago | | |

I think the implication is that the aggregation is done server-side, so it needs your credentials there (not that that is a good idea or that sending credentials in the clear is not complete and utter incompetence).

Edit: upon closer reading, credentials were sent over a secure connection, but aggregated content was sent in the clear.

Pxtl 12 years ago | |

Now I'm wondering in winphone does this... Wp7 has a built in social network aggregator too.

jimbobimbo 12 years ago | | |

That aggregator uses OAuth everywhere.

eliasmacpherson 12 years ago |

I'm sure the servers that this data is stored on are completely locked down from malicious employee access, are protected by a diligent legal department from overzealous government access and above all completely safe from malicious external threats. Oh and I bet the logging is water tight.

antitrust 12 years ago |

Basically, I need to make all of my technological tools out of raw steel, silicon and wood and then I'll be OK, but otherwise, somebody's monitoring me. Right?

* sigh *

Well, if I must...

josephpmay 12 years ago |

The author seems perplexed that Motorola is not collecting information from Google or Gmail accounts. This is probably because they already have the information: remember that Motorola is owned by Google.

jsnell 12 years ago | |

That theory makes no sense. This phone predates the Google purchase by over a year (and there were probably other phones with the same software even earlier). Also, Google has no plausible use at all for any of this data and misusing it would have huge PR and legal risks. Certainly most of Motoblur got trimmed out with the upgrade to 4.0, and from what I hear completely eliminated with 4.1. Just didn't matter for this phone, since it got stuck on 2.3.

It's pure engineering incompetence from Motorola, not a nefarious way to collect data.

oceanstone 12 years ago | | |

This phone predates the Google purchase by 2 months. It was released in June, Google purchased Motorola Mobility in August.

eknkc 12 years ago |

Account passwords?! WTF?

Just curious, were these devices manufactured before or after Google acquisition?

oceanstone 12 years ago | |

The phone in question (Droid X2) was released on June 19, 2011. Google acquired Motorola Mobility on August 15, 2011.

msoad 12 years ago |

This is unacceptable!

superuser2 12 years ago |

Further evidence that no matter how "free" and "open" Android may be in theory, manufacturer and carrier modifications make it no better (and in this case worse) than the iPhone in practice.

mikelat 12 years ago |

My next phone probably won't be a Motorola then.

Does anyone know if this is a part of the Android Kernel? If it is it means they've modified the source code and they're obligated to share their changes.

tutysara 12 years ago | |

They can make changes in user space and in application space and not share the source since only the kernel is GPL

chenster 12 years ago |

Fuck you, Motorola. Why do you want my login and password information for?? Your EULA is nothing but a fraud. I smell lawsuit.

Wait, isn't Motorola owned by Google now???

andyhmltn 12 years ago |

Is this not grounds for a major investigation? I'm not familiar with the law, but I know that there's been a number of cases of people that added RATs to their applications they created to monitor all traffic on that computer and email them passwords.

That's pretty much the exact same thing. Although: 'Never attribute to malice that which is adequately explained by stupidity.'

jorgecastillo 12 years ago |

Motorola has never been one of my favorite cellphone brands but after this I am never buying a Motorola phone.

yason 12 years ago |

I've been wondering if there's any reason to actually keep the original OEM modified operating system instead of replacing it with a vanilla Android installation. I haven't found any but it seems that there are now compelling reasons to not keep it in any case.

tutysara 12 years ago |

Question - Can I trust cyanogenmod binary? Compile the rom from source. Question - Can I trust cyanogenmod source? ????, no idea, have to trust some one. (Remembering an argument from GEB about uncertainty).

D9u 12 years ago |

[from the article]

    *" I was using my personal phone at work to do some testing related to Microsoft Exchange ActiveSync. In order to monitor the traffic, I had configured my phone to proxy all HTTP and HTTPS traffic through Burp Suite Professional - an intercepting proxy that we use for penetration testing - so that I could easily view the contents of the ActiveSync communication.

    Looking through the proxy history, I saw frequent HTTP connections to ws-cloud112-blur.svcmot.com mixed in with the expected ActiveSync connections."*

Whoever said that this has nothing to do with ActiveSync; You are being disingenuous.

ww520 12 years ago |

What are some of the good tools on Android to monitor all network traffic incoming or outgoing of the phone? Like a super sniffer app for TCP, SMS, 3G/4G data.

steven777400 12 years ago |

This reminds me of the Nokia HTTPS proxy incident.

Mordor 12 years ago |

Samsung must be rubbing their hands with glee :-)

lostlogin 12 years ago | |

No one except Apple and Samsung make any money out of cell phones.The glee started a while back. http://tech.fortune.cnn.com/2013/05/07/apple-samsung-profits...

korethr 12 years ago | |

We can only hope that Samsung isn't doing something similar.

drcube 12 years ago |

Everyone should immediately install CyanogenMod upon booting up their Android phone.

Spyware like this is depressingly universal among carriers.

D9u 12 years ago |

I believe that the keyword here is "ActiveSync," which is another Microsoft product.

Since I made a conscious effort (years ago) to remove all Microsoft products from my life, ActiveSync is another app which I have never used.

Who needs it?

wfraser 12 years ago | |

Did you even read the article? It has nothing to do with EAS or Microsoft; it's Motorola software siphoning pretty much all the user's credentials off to Motorola servers.

D9u 12 years ago | | |

Yes, I did read the article in its entirety. Did you? The author mentions ActiveSync more than once.

    *" What I am going to do as a result of this discovery

    As of 23 June 2013, I've removed my ActiveSync configuration from the phone, because I can't guarantee that proprietary corporate information isn't being funneled through Motorola's servers. I know that some information (like the name of our ActiveSync server, our domain name, and a few examples of our account-naming conventions) is, but I don't have time to exhaustively test to see what else is being sent their way, or to do that every time the phone updates its configuration.
    I've also deleted the IMAP configuration that connected to my personal email, and have installed K-9 Mail as a temporary workaround.
    I'm going to figure out how to root this phone and install a "clean" version of Android. That will mean I can't use ActiveSync (my employer doesn't allow rooted phones to connect), which means a major reason I use my phone will disappear, but better that than risk sending their data to Motorola.
    I'll assume that other manufacturers and carriers have their own equivalent of this - recall the Carrier IQ revelation from 2011."*

ActiveSync is not only used for "Exchange Server" connections.

Judging by your past comments, you are merely another Microsoft shill who believes that they can do no wrong...

blur_myspace.apk blur_linkedin.apk blur_picasa.apk blur_orkut.apk blur_lastfm.apk blur_flickr.apk blur_youtube.apk blur_activesync.apk blur_email.apk blur_twitter.apk blur_skyrock.apk blur_facebook.apk blur_photobucket.apk blur_yahoo.apk