OFFICIAL SECURITY BLOG
July 5, 2013 | BY Jean Taggart
I was reading a fascinating blog entry by Ben Lincoln, a security professional, who in the course some security testing, stumbled onto some very troubling discoveries.
It would seem that a significant amount of his information is being sent by his older Motorola Droid x2 handset to an external server.
Some online sleuthing would indicate that it belongs to Motorola. This functionality isn’t apparent, and the standard Android components have been modified to perform this reporting in what can only be described as an opaque fashion. Even more troubling is that some of this information is sent “in clear”, as in not encrypted.
The whole post can be found here: http://www.beneaththewaves.net/Projects/Motorola_Is_Listening.html
I highly recommend reading it, even if it is on the technical side.
The implications are dire indeed. The handset is reporting a myriad of details on what the user is doing. Ben accurately points out that a determined attacker could breach the Motorola Blur servers, and access a trove of personal info for anyone using this model of handset, and presumably others as well. An unethical Motorola employee could also take advantage of his privileged access. This information would provide an incredibly granular timeline of usage of several digital services.
I have spoken about metadata previously here. As it is “data about data” without the actual content, it can very easily be taken out of context. This type of data can be made to tell any narrative, and it is why I find it so dangerous.
This functionality is reminiscent of the Carrier IQ fiasco. Even more alarming, is that this handset was chosen by its owner for what was believed to be a largely stock Android firmware. The sheer amount of information collected on this device and the fact that there is no option to disable this collection is very troubling. I am left to wonder how many other manufacturers have made these types of enhancements.