A security investigation has discovered that Qualcomm chip-enabled smartphones secretly send personal data to Qualcomm.
This data is sent without the consent of the user, without encryption, and even when using a free Android distribution from Google. This is possible because Qualcomm’s own chipset sends the data, bypassing any possible Android OS tweaks and protection mechanisms.
Strange connections to izatcloud.net
The researchers decided to test /e/OS, an open source version of Android without Google services, focused on privacy and designed to give you control over your data. /e/OS claims that it does not track you and does not sell your data.
They installed /e/OS on a Sony Xperia XA2 smartphone. After providing the WiFi password in the setup wizard, the router assigned the phone /e/OS without Google a local IP address and started generating traffic.
A few seconds later, the phone began to communicate with izatcloud.net, an unknown domain. A quick WHOIS lookup shows that the izatcloud.net domain belongs to a company called Qualcomm Technologies, Inc.
Qualcomm chips are currently used in about 30% of all Android devices. The test device with Android version /e/OS is a Sony Xperia XA2 with a Qualcomm Snapdragon 630 processor.
The packets are sent via the HTTP protocol and are not encrypted using HTTPS, SSL or TLS. This means that anyone else on the network, including cyber criminals, government agencies, network administrators, telecom operators, local and foreign, can collect this data, store it and establish a history of records using the phone’s unique identifier and phone number. series that Qualcomm is sending to its mysteriously named Izat Cloud.
The researchers considered that this is against the General Data Protection Regulation (GDPR) for collecting user data without their consent and contacted Qualcomm’s General Counsel about the matter.
So it seems that that Izat Cloud we’ve never heard of is part of the XTRA Service which we have not heard of either. It sounds like Qualcomm likes to keep it a mystery, hence the name Izat Cloud and the XTRA Service.
Through these software applications, we may collect location data, unique identifiers (such as chipset serial number or international subscriber ID), data about applications installed and/or running on the device, configuration data such as the wireless make, model, and carrier, operating system and version data, software build data, and device performance data such as chipset performance, battery usage, and thermal data.
We may also obtain personal data from third-party sources, such as data brokers, social networks, other partners, or public sources.
- unique ID
- chipset name
- Chipset serial number
- XTRA software version
- Mobile country code
- Mobile network code (allows you to identify the country and wireless operator)
- OS type and version
- Device make and model
- Elapsed time since the last boot of the application processor and modem
- Device Software List
- IP adress
By the way, Qualcomm’s “XTRA Service” provides Assisted GPS (A-GPS) and helps provide precise satellite positions to a mobile device.
the silent connection
Qualcomm’s XTRA service is not part of /e/OS or Android, but runs directly from Qualcomm’s firmware, which they call AMSS.
What happens is that in addition to the user-facing operating system (Android, iOS) and the Linux kernel, the smartphone incorporates additional low-level firmware or blobware. This covert operating system operates on the broadband processor (modem) and manages real-time communication with cell towers.
During operation, the Covert Operating System (AMSS) has full control over the hardware, microphone and camera. The Linux kernel and the end-user operating system /e/OS run as slaves on top of the hidden AMSS operating system.
The consequences are that even with a device without Google we still do not have full control over our privacy and about what personally identifiable information (PII) is being shared because of this underlying closed source blobware that is sharing our private data.