“Qualcomm spies on smartphone users, sends personal data to Qualcomm,” German security firm Nitrokey warns
“During our security research, we found that smartphones with Qualcomm chips secretly send personal data to Qualcomm.”
In 2021, Edward Snowden, a former NSA whistleblower, issued a warning regarding national security. He said that “the greatest danger to national security has become the companies that claim to protect it.” In a cautionary tone, Snowden shed light on the potential vulnerabilities and privacy concerns surrounding the use of smartphones warning that our smartphones have become the most “the most dangerous item” we possess. Snowden added how today’s smartphones come with “hidden microphones.”
“The first thing I do when I get a new phone is take it apart. I don’t do this to satisfy a tinkerer’s urge, or out of political principle, but simply because it is unsafe to operate. Fixing the hardware, which is to say surgically removing the two or three tiny microphones hidden inside,” Snowden said.
Fast forward two years later, a German security firm Nitrokey is now warning all the users of Qualcomm smartphones. In a research article published on its website titled, “Smartphones With Popular Qualcomm Chip Secretly Share Private Information With US Chip-Maker,” the company said that Qualcomm chips were found to send private user information, including IP address, unique ID, and mobile country code, back to the U.S. chipmaker.
“During our security research, we found that smartphones with Qualcomm chips secretly send personal data to Qualcomm. This data is sent without user consent, unencrypted, and even when using a Google-free Android distribution. This is possible because of proprietary Qualcomm software which provides hardware support also sends the data. Affected smartphones are Sony Xperia XA2 and likely the Fairphone and many more Android phones which use popular Qualcomm chips.”
As part of its research, Nitrokey analyzed a Qualcomm-powered smartphone called Sony Xperia XA2 and found that the phone “sends private information to the chip maker Qualcomm.” The company added that the finding also “applies to other smartphones with a Qualcomm chip such as the Fairphone.”
The company proves that Qualcomm chips have a backdoor and are phoning home by testing a de-Googled Android phone that has been modified to not include any of Google’s proprietary (closed-source) apps or services. This process involves installing a custom ROM that replaces the standard Android software with an open-source Android that doesn’t come with any of Google’s apps.
Testing a de-Googled Android phone
In this test, Nitrokey used /e/OS, a de-Googled open-source version of Android “that is privacy-focused and designed to give you control over your data. /e/OS claims that they do not track you and don’t sell your data.”
Nitrokey later installed /e/OS on a Sony Xperia XA2, a Qualcomm-powered smartphone. “After installation, the phone boots into the /e/OS setup wizard. It requested us to turn on GPS location service, but we purposely left it off because we do not need it now,” Nitrokey explained.
Below is how the testing went.
After we provided our WiFi password in the setup wizard, the router assigned our /e/OS de-Googled phone a local IP address and it started generating traffic.
The first DNS requests we see:
[2022-05-12 22:36:34] android.clients.google.com [2022-05-12 22:36:34] connectivity.ecloud.global
Surprisingly, the deGoogled phone’s first connection is to google.com.
Then it connects to connectivity.ecloud.global which, according to /e/OS, replaces Android’s Google server connectivity check connectivitycheck.gstatic.com.
Two seconds later the phone started communicating with:
[2022-05-12 22:36:36] izatcloud.net
[2022-05-12 22:36:37] izatcloud.net
We are not aware of any company or service with the name izatcloud.net. Therefore we started searching through the /e/OS legal notice and privacy policy but found no mention of data sharing with the Izat Cloud. The /e/OS privacy policy clearly states “We do not share any individual information with anybody”. We then searched through the /e/OS source-code they make available on Gitlab and we were unable to find any references to the Izat Cloud.
With a quick WHOIS lookup, the Nitrokey team found that the izatcloud.net domain belongs to a company called Qualcomm Technologies, Inc.
“This is interesting. Qualcomm chips are currently being used in ca. 30% of all Android devices, including Samsung and also Apple smartphones. Our test device for the /e/OS deGoogled version of Android is a Sony Xperia XA2 with a Qualcomm Snapdragon 630 processor. So there we have a lead,” Nitrokey said.
Investigating this further, Nitrokey also found that “the packages are sent via the HTTP protocol and are not encrypted using HTTPS, SSL or TLS. That means that anyone else on the network, including hackers, government agencies, network administrators, telecom operators, local and foreign can easily spy on us by collecting this data, store them, and establish a record history using the phone’s unique ID and serial number Qualcomm is sending over to their mysteriously called Izat Cloud,” the company said.
Nitrokey stated that the “data sharing with Qualcomm is not being mentioned in the terms of service from Sony (the device vendor) or Android or /e/OS either. Qualcomm does this without user consent.”
Below is a list of the data Nitrokey stated that Qualcomm may collect from your phone according to their privacy policy:
- Unique ID
- Chipset name
- Chipset serial number
- XTRA software version
- Mobile country code
- Mobile network code (allowing identification of country and wireless operator)
- Type of operating system and version
- Device make and model
- Time since the last boot of the application processor and modem
- List of the software on the device
- IP address
Meanwhile, Qualcomm is not alone. Nitrokey also accused Apple of spying on its users. The startup said that “both Apple and Android with their App Store and Google Play Store are spying on its paying customers.”
“The smartphone is a device we entrust with practically all of our secrets. After all, this is the most ubiquitous device we carry with us 24 hours per day. Both Apple and Android with their App Store and Google Play Store are spying on its paying customers.”
You can read the full article here.