C.Martel
18th May 2023, 08:53 AM
“Qualcomm spies on smartphone users, sends personal data to Qualcomm,” German security firm Nitrokey warns
A manufacturer of ultra-secure smartphones claims that devices equipped with Qualcomm chips transmit user information without their knowledge.
NitroKey is a smartphone maker that prides itself on “providing the most secure phones on the planet”. To do this, the company’s engineers equip their devices with components identical to those of Google’s Pixel 7 Pro and adopt GrapheneOS, an operating system so secure that it is recommended by the greatest experts in cybersecurity. By studying the chips used by competing brands, the German manufacturer discovered a specificity of Qualcomm processors which could be the source of a major scandal international.
According to NitroKey researchers, “smartphones equipped with a Qualcomm processor secretly send data personal” to the company’s servers. Information communicated without the knowledge and therefore without the consent of the user. Worse still, it would not be possible to prevent these transmissions, because the latter would be done directly from the chip, which would make it possible to physically circumvent Android’s “settings and potential protection mechanisms “.
Contents hide
1 Qualcomm’s Snapdragon chips secretly send data to company’s servers
2 Put up against the wall, Qualcomm defends itself
Qualcomm’s Snapdragon chips secretly send data to company’s servers
The company tested a Sony Xperia XA2 running /e/, “an open-source Android-based operating system free of Google products and featuring its own web services.” This special configuration should, in theory, prevent him from being tracked. In practice, the first connection of the device is made with the servers of the Mountain View firm and data is also sent to Qualcomm, on a server registered under “Izat Cloud”. According to experts, absolutely all smartphones equipped with a chip from the American brand are affected.
While it is common knowledge that Apple and Google use their users’ data for marketing purposes, it is less clear why a chipset manufacturer like Qualcomm collects this information. The fact that Snapdragon chips are so popular, found in hundreds of millions of smartphones around the world, is even more alarming. According to NitroKey, Qualcomm chips equip 30% of Android devices.
To make matters worse, communications are not secure between “spied” smartphones and Qualcomm servers. On its site, the company explains that “packets are sent via the HTTP protocol and are not encrypted. Hackers, government agencies, network administrators, and other local or foreign telecommunications operators; anyone else on the network can easily monitor us by collecting this data, storing it and establishing a history from the unique identifier and the serial number of the telephone”.
Put up against the wall, Qualcomm defends itself
The researchers obviously turned to Qualcomm for more information about these suspicious transmissions. The representatives of the American company then confirmed to them that “this collection of data is in accordance with the Qualcomm Xtra Privacy Policy “. No one at NitroKey, which is a smartphone manufacturer, has ever heard of such a clause.
Xtra is an assisted GPS service that is supposed to improve the accuracy and responsiveness of smartphone geolocation services. Using its features involves give up a lot of personal information. Here is a full list:
unique identifier
chipset name
chipset serial number
XTRA software version
mobile phone country code
mobile network code to identify the country and the ISP
operating system type and version
brand and model of the device
time elapsed since last start of application processor and modem
list of software present on the device
IP adress
Those responsible for NitroKey point the finger at Qualcomm’s negligence in terms of the security of the transmission of this sensitive information. According to them, it does not matter whether this data collection is organized in collaboration with state agencies or for the purpose of improving the quality of service. The fact is that this data is not sent through secure protocols, which means that “traffic can be intercepted by dictators and other repressive governments, without even collaboration with Qualcomm being necessary”. The information provided by NitroKey suggests that there is potentially a serious violation of the GDPR applied in Europe. If they are proven, it may be the start of a long legal imbroglio for Qualcomm.
https://www.gearrice.com/update/qualcomm-is-secretly-spying-on-millions-of-android-smartphones/
A manufacturer of ultra-secure smartphones claims that devices equipped with Qualcomm chips transmit user information without their knowledge.
NitroKey is a smartphone maker that prides itself on “providing the most secure phones on the planet”. To do this, the company’s engineers equip their devices with components identical to those of Google’s Pixel 7 Pro and adopt GrapheneOS, an operating system so secure that it is recommended by the greatest experts in cybersecurity. By studying the chips used by competing brands, the German manufacturer discovered a specificity of Qualcomm processors which could be the source of a major scandal international.
According to NitroKey researchers, “smartphones equipped with a Qualcomm processor secretly send data personal” to the company’s servers. Information communicated without the knowledge and therefore without the consent of the user. Worse still, it would not be possible to prevent these transmissions, because the latter would be done directly from the chip, which would make it possible to physically circumvent Android’s “settings and potential protection mechanisms “.
Contents hide
1 Qualcomm’s Snapdragon chips secretly send data to company’s servers
2 Put up against the wall, Qualcomm defends itself
Qualcomm’s Snapdragon chips secretly send data to company’s servers
The company tested a Sony Xperia XA2 running /e/, “an open-source Android-based operating system free of Google products and featuring its own web services.” This special configuration should, in theory, prevent him from being tracked. In practice, the first connection of the device is made with the servers of the Mountain View firm and data is also sent to Qualcomm, on a server registered under “Izat Cloud”. According to experts, absolutely all smartphones equipped with a chip from the American brand are affected.
While it is common knowledge that Apple and Google use their users’ data for marketing purposes, it is less clear why a chipset manufacturer like Qualcomm collects this information. The fact that Snapdragon chips are so popular, found in hundreds of millions of smartphones around the world, is even more alarming. According to NitroKey, Qualcomm chips equip 30% of Android devices.
To make matters worse, communications are not secure between “spied” smartphones and Qualcomm servers. On its site, the company explains that “packets are sent via the HTTP protocol and are not encrypted. Hackers, government agencies, network administrators, and other local or foreign telecommunications operators; anyone else on the network can easily monitor us by collecting this data, storing it and establishing a history from the unique identifier and the serial number of the telephone”.
Put up against the wall, Qualcomm defends itself
The researchers obviously turned to Qualcomm for more information about these suspicious transmissions. The representatives of the American company then confirmed to them that “this collection of data is in accordance with the Qualcomm Xtra Privacy Policy “. No one at NitroKey, which is a smartphone manufacturer, has ever heard of such a clause.
Xtra is an assisted GPS service that is supposed to improve the accuracy and responsiveness of smartphone geolocation services. Using its features involves give up a lot of personal information. Here is a full list:
unique identifier
chipset name
chipset serial number
XTRA software version
mobile phone country code
mobile network code to identify the country and the ISP
operating system type and version
brand and model of the device
time elapsed since last start of application processor and modem
list of software present on the device
IP adress
Those responsible for NitroKey point the finger at Qualcomm’s negligence in terms of the security of the transmission of this sensitive information. According to them, it does not matter whether this data collection is organized in collaboration with state agencies or for the purpose of improving the quality of service. The fact is that this data is not sent through secure protocols, which means that “traffic can be intercepted by dictators and other repressive governments, without even collaboration with Qualcomm being necessary”. The information provided by NitroKey suggests that there is potentially a serious violation of the GDPR applied in Europe. If they are proven, it may be the start of a long legal imbroglio for Qualcomm.
https://www.gearrice.com/update/qualcomm-is-secretly-spying-on-millions-of-android-smartphones/