Qualcomm receives personal data from smartphones that secretly carry its chips

A security investigation has discovered that Qualcomm chip-enabled smartphones secretly send personal data to Qualcomm.

This data is sent without the consent of the user, without encryption, and even when using a free Android distribution from Google. This is possible because Qualcomm’s own chipset sends the data, bypassing any possible Android OS tweaks and protection mechanisms.

Strange connections to izatcloud.net

The researchers decided to test /e/OS, an open source version of Android without Google services, focused on privacy and designed to give you control over your data. /e/OS claims that it does not track you and does not sell your data.

They installed /e/OS on a Sony Xperia XA2 smartphone. After providing the WiFi password in the setup wizard, the router assigned the phone /e/OS without Google a local IP address and started generating traffic.

A few seconds later, the phone began to communicate with izatcloud.net, an unknown domain. A quick WHOIS lookup shows that the izatcloud.net domain belongs to a company called Qualcomm Technologies, Inc.

Qualcomm chips are currently used in about 30% of all Android devices. The test device with Android version /e/OS is a Sony Xperia XA2 with a Qualcomm Snapdragon 630 processor.

The packets are sent via the HTTP protocol and are not encrypted using HTTPS, SSL or TLS. This means that anyone else on the network, including cyber criminals, government agencies, network administrators, telecom operators, local and foreign, can collect this data, store it and establish a history of records using the phone’s unique identifier and phone number. series that Qualcomm is sending to its mysteriously named Izat Cloud.

SEE ALSO  On Amazon, this is the best-selling Motorola mobile and, now, it is almost 100 euros cheaper

Qualcomm’s response

The researchers considered that this is against the General Data Protection Regulation (GDPR) for collecting user data without their consent and contacted Qualcomm’s General Counsel about the matter.

A few days later, Qualcomm replied that this data collection was in accordance with the Qualcomm Xtra privacy policy and shared a link to their XTRA service privacy policy.

So it seems that that Izat Cloud we’ve never heard of is part of the XTRA Service which we have not heard of either. It sounds like Qualcomm likes to keep it a mystery, hence the name Izat Cloud and the XTRA Service.

The privacy policy of the “XTRA Service” says the following:

Through these software applications, we may collect location data, unique identifiers (such as chipset serial number or international subscriber ID), data about applications installed and/or running on the device, configuration data such as the wireless make, model, and carrier, operating system and version data, software build data, and device performance data such as chipset performance, battery usage, and thermal data.

We may also obtain personal data from third-party sources, such as data brokers, social networks, other partners, or public sources.

After the investigation, Qualcomm updated the privacy policy and added that they also collect the IP address of the device. They have also added the information that they store this data for 90 days for “quality reasons”.

As a summary, here is a list of the data that Qualcomm can collect from your phone according to its privacy policy:

  • unique ID
  • chipset name
  • Chipset serial number
  • XTRA software version
  • Mobile country code
  • Mobile network code (allows you to identify the country and wireless operator)
  • OS type and version
  • Device make and model
  • Elapsed time since the last boot of the application processor and modem
  • Device Software List
  • IP adress
SEE ALSO  The design of the Samsung Galaxy A55 completely revealed in this video render: that chassis is reminiscent of the iPhone 15

By the way, Qualcomm’s “XTRA Service” provides Assisted GPS (A-GPS) and helps provide precise satellite positions to a mobile device.

the silent connection

Qualcomm’s XTRA service is not part of /e/OS or Android, but runs directly from Qualcomm’s firmware, which they call AMSS.

What happens is that in addition to the user-facing operating system (Android, iOS) and the Linux kernel, the smartphone incorporates additional low-level firmware or blobware. This covert operating system operates on the broadband processor (modem) and manages real-time communication with cell towers.

During operation, the Covert Operating System (AMSS) has full control over the hardware, microphone and camera. The Linux kernel and the end-user operating system /e/OS run as slaves on top of the hidden AMSS operating system.

The consequences are that even with a device without Google we still do not have full control over our privacy and about what personally identifiable information (PII) is being shared because of this underlying closed source blobware that is sharing our private data.