Nitrokey, a security company, found that some smartphone models equipped with Snapdragon processors send users' personal data to Qualcomm, the manufacturer of chips for smartphones and others, in an unauthorized way. This data comes sent without the consent of the users and in unencrypted form, which means they can be easily intercepted and compromised.
UPDATE AT THE END OF THE ARTICLE
An ugly story that "throws mud" on Qualcomm: Snapdragon processors accused of sending data to the company without user consent
Experts noted that Qualcomm processors bypass the security settings and Android mechanisms, sending data even on assemblies without Google services. This anomalous behavior has been observed on a Sony Xperia XA2 smartphone, equipped with the open source operating system /e/ OS. During the test, the traffic generated by the device was monitored using the software Wireshark, a utility used to analyze network traffic. Experts noticed one right away request to android.clients.google.com, despite the fact that there was no Google app on the device. The device then sent a request to connection.ecloud.global, which the /e/ OS developers claim is a replacement for Google's server connection checker.
After extensive research, it has been found that the izatcloud.net belongs to Qualcomm Technologies, Inc. The data was sent via the protocol HTTP not sure, which makes them vulnerable to interception. In addition, experts have found that Qualcomm collects a fairly large amount of information: the unique device identifier, chipset name and serial number, XTRA software version, country code and mobile operator, the type and version of the operating system, the make and model of the gadget, the operating time of the processor and modem, the list of installed applications and the IP address. Furthermore, the company also determines the exact location of users, which could be a serious invasion of privacy.
Experts recommend tech-savvy users to block the Qualcomm XTRA service or to redirect traffic. This service, according to Qualcomm itself, acts as follows:
Through these software applications, we may collect location data, unique identifiers (such as a chipset serial number or international subscriber ID), data about applications installed and/or running on your device, configuration data such as make, model and wireless carrier , operating system and version data, software build data, and device performance data such as chipset performance, battery usage, and thermal data.
We may also obtain personal data from third party sources such as data brokers, social networks, other partners or public sources.
However, blocking the Qualcomm XTRA service may not be within the reach of all users, which means that many of us may be forced to remain exposed to this risk for some time. Qualcomm has already responded to the incident, claiming that data collection is legal and does not conflict with the company's privacy policy. However, users may be concerned about the amount of data being collected without their consent, which raises some questions about Qualcomm's privacy practices and the safeguards that should be in place to ensure user safety.
The risk of collecting personal data without users' consent is that this information could be used to unauthorized purposes, such as invasive marketing, the profiling of identification, surveillance and invasion of privacy. Also, if your data is not protected properly, it could be compromised by cyber criminals or other malicious actors. And this is the case since the protocol used is unencrypted (HTTP). In the future, we will know more about the problem of Qualcomm's Snapdragon processors accused of sending data to third parties.
SECURITY UPDATE TRAINING
Qualcomm's spokesperson decided to respond to the allegations:
The article is full of inaccuracies and appears to be motivated by the author's desire to sell his product. Qualcomm collects personal information only as permitted by applicable laws. As stated in the publicly available privacy policy (https://www.qualcomm.com/site/privacy/services), the Qualcomm technologies in question use non-personally identifiable and anonymous information. Qualcomm technologies use non-personal and anonymised technical data to enable device manufacturers to provide their customers with location-based applications and services that end users have come to expect from today's smartphones
