In all fairness, it seems that the implementation uses a middle server (pretty common in big companies where good engineering isn't a requirement) where log in data is sent, is stored in the users' profile and where timelines and other content is parsed before being sent back to the user's device, in a "dumb" format that the BLUR system can understand.
Nokia has a bit of the same for their low-end phones (understandably) and BlackBerry used to do much of the same. Yet, in those days, and in an Android phone that can easily connect to social networks on its own, this seems like a very unfortunate techncial decision.
In other words: the official Gmail app, Twitter or Facebook apps are unlikely to be "compromised".
A post now on HN from a forum argument of Jan 2012 has a employee stating that ALL motorola phones use Motoblur, except those hat are not Motoblur use a automatically created login for you instead... So it is still a bad thing...
While the value of Motoblur has been questionable and the service is no longer a focus for Motorola, it makes sense to do this server side.
One connection that pushes aggregated social networking data saves the need for a multitude of apps constantly polling or keeping their own open commections to various services.
BlackBerry also provided similar services as part of their BIS plan. It would poll Gmail and Exchange servers from its own servers, and push compressed data to the device.
Also, remember that these services existed at a time of slow networks and devices and a lack of support for it from Google. At the present, it's becoming increasingly clear that only few companies have the expertise and trust to do this securely. Motorola is probably not one of them.
The article has been updated to point out that this model does not use to MotoBlur interface. Apparently having (what looked like) a mostly stock Android interface was an important buying consideration.
I have my doubts. It never stated when it sent the passwords. Maybe it hasn't the UI overlay, but the social apps seem to be closely related to MOTOBLUR.
Ah, thank you. This post was really confusing, having never really used a motorola phone. The post never actually specified how those passwords were being used, just what service they came from and what was being sent. For most of those apps there shouldn't be any (non-exploit) way to get your credentials out to then send them in the clear.
I noticed that my Droid 4 running 4.1.2 was opening an XMPP connection to Motorola servers a month ago. I was watching the logs trying to diagnose another problem, and the XMPP connection happened to be failing at the time. The XMPP connection is no longer failing.
D/CheckinProvider( 507): insertEvents Process tag not allowed: XMPPConnection
I/XMPPConnection( 772): Preparing to connect user XXXXXXXXXXX to service:
jabber1.cloud2.sdc100.blurdev.com on host: jabber-cloud2-sdc100.blurdev.com and port: 5222
E/PacketReader( 772): at org.jivesoftware.smack.PacketReader.parseXMPPPacket(PacketReader.java:503)
D/CheckinProvider( 507): insertEvents Process tag not allowed: XMPPConnection
I/XMPPConnection( 772): Shutting down connection for user XXXXXXXXXXX to host jabber-cloud2-sdc100.blurdev.com
W/System.err( 772): at org.jivesoftware.smack.PacketReader.parseXMPPPacket(PacketReader.java:503)
E/XMPPConnectionManager( 772): Failed to connect user 'XXXXXXXXXXX' to host
'jabber-cloud2-sdc100.blurdev.com on port 5222: Connection failed. No response from server.:
I was bored so I downloaded the stock gingerbread image of the X2 and poked around the system a bit. It seems that the bulk of the code is in blur-services.apk.
edit: from looking at some of the code, it seems that all this stuff is mostly to provide social networking integration for MotoBlur, and probably not to steal your data. Although personally I'd be flashing Cyanogenmod pretty quickly :3
> it seems that all this stuff is mostly
> to provide social networking integration for MotoBlur
I'm not sure why you'd give them the benefit of the doubt. There's no way they built apps in 20 different flavors that consume ALL network traffic and redirect it to their servers, simply as an accidental rookie mistake.
I don't feel like buying into the idea that it was all consultants hired on short term by motorola, in a mad scramble to create an android platform and compete with the iPhone, working under a temporary contract with no accountability.
I don't even want to buy into the idea that maybe there was a large team of disinterested 9 to 5 corporate drones, with a middle manager who was a real dick with a middling paycheck as a mediocre incentive to produce high-quality work, who inspired nothing but apathy in his subordinates, and was too lazy, and too interested in fantasy football, to check their work for network security practices.
Capture ALLLL the traffic, and don't encrypt it? As an innocent mistake?
XMPPConnection and PacketReader are parts of the Smack XMPP library. If you're the curious type, you can adb into your phone and do a `ps` to correlate the PID that's generating these messages (772 here) with an apk. Then you can dump that apk and disassemble/decompile it (i.e. using apktool, dex2jar, and your favorite Java decompiler).
Since lots of this data is sent through not encrypted HTTP, this means that NSA (and any other intelligence agency) can also get all this data...
Then people wonder the "nothing to hide" well, you might not, but will everyone you know be bothered you are sending their e-mails around to intelligence agencies?
Who cares about the NSA when all of your logins and passwords are literally being stolen and are sitting on Motorola servers in plaintext. This is extremely egregious, and I'm expecting there will be some major fines from the FCC. How can they be this dumb?
I guess since Google bought them, this is their disaster now.
I was responding to a comment about company secrets. I guarantee you a lot more information is being exfiltrated from large US companies via Windows than via Android, and since most businesses are built around Windows, it's a lot harder for them to do anything about it.
Show the proof or stop trolling. What can you gurantee exactly? Op links to article with raw packet data. Suprised mods does not change title to Google. Stop talking out of your ass
How about the billions of dollars of intellectual property that has been stolen from American defense contractors? Do you think that is being stolen from their Windows desktops, or do you think it's being stolen from their cell phones?
The aggressive behavior and language you are using are not welcome or appreciated on Hacker News.
Also, you are coming across as a Microsoft astroturfer. If you are, you're going to be doing more harm to the MS brand than good.
Please note that shortly after I made the comment you are responding to, I made an additional comment clarifying why I suspected possible astroturfing.
Also, note that I'm not "anti-Microsoft." I'm making a facts-based argument that Windows is not suitable for business that need security.
To be clear, the reason I mention astroturfing is because xogouyne is one of at least two accounts that appear to have been created specifically to respond to that one instance of Microsoft bashing on my part, and he has no other comments.
This. We have a firewall in our company to stop things escaping as much as letting them in. There are so many things built into windows that phone home its scary. Even a VLK 7 with internal KMS has a good bash at trying to get out of the network. The problem is that it is virtually impossible to stop it without affecting users as everything goes over HTTP and pokes holes in windows' application level firewall.
Our shift to Java EE recently has resulted in us switching a few users to Ubuntu 12.04. Removing a couple of packages makes it 100% network silent plus we can host a mirror in house of packages.
Windows is going to end up inside virtualbox on a private virtual lan on the workstation if this works out.
I dread to think what nefarious code phones have in them if these are the problems we have with a desktop OS.
In at least four cases, Barksdale spied on minors' Google accounts without their consent, according to a source close to the incidents. In an incident this spring involving a 15-year-old boy who he'd befriended, Barksdale tapped into call logs from Google Voice, Google's Internet phone service, after the boy refused to tell him the name of his new girlfriend, according to our source. After accessing the kid's account to retrieve her name and phone number, Barksdale then taunted the boy and threatened to call her.
In other cases involving teens of both sexes, Barksdale exhibited a similar pattern of aggressively violating others' privacy, according to our source. He accessed contact lists and chat transcripts, and in one case quoted from an IM that he'd looked up behind the person's back. (He later apologized to one for retrieving the information without her knowledge.) In another incident, Barksdale unblocked himself from a Gtalk buddy list even though the teen in question had taken steps to cut communications with the Google engineer.
I completely agree. If you want to keep something secret, do not use Google products.
I don't recommend taking the time, but if you were to trawl through all my posts on Hacker News, you'd find that I've said this about Google several times in the past, before the breaking of the NSA scandal.
I do not use Google products either, but you need to add more companies to that. You can't use Facebook, or Yahoo products.
Funnily enough I stopped using Google products because they keep alienating me with their decisions like the Real Names policy or killing Reader. Taking my privacy back is an added bonus.
That also means no Android phone, although FirefoxOS phones look promising.
In light of the second article, I find it ridiculous that people are asserting they have an expectation of privacy in google communications when apparently random creepy engineers have access to that data! I'd at the very least expect strong internal lockouts on customer information, with keys limited to "need to know" people...
This is where modern intelligence is going. We know that one of the most common targets of Chinese intelligence gathering now is industrial espionage -- stealing trade secrets. I hardly think China is alone in this, and if the NSA or anyone else can get a heads-up that advantages US firms against Chinese, Canadian, or EU firms, you can bet your ass that is going to be communicated to the necessary people.
From a "hacker" perspective, even metadata on the key employees of a corporation is incredibly valuable -- imagine knowing with what firms a company is communicating, giving inside lines of investment-impacting activities like acquisitions. This is enormously valuable stuff.
> From a "hacker" perspective, even metadata on the key employees of a corporation is incredibly valuable -- imagine knowing with what firms a company is communicating, giving inside lines of investment-impacting activities like acquisitions. This is enormously valuable stuff.
When Boeing and McDonnell Douglas merged, executives from those companies would fly to different, distinct cities for negotiations and then drive several hours to the actual meeting location. In that case, just knowing that execs from those two firms were flying to the same city repeatedly would be more than enough to start merger rumors.
IIRC, ExxonMobil did the same when acquiring XTO. Exxon didn't want XTO's share price to skyrocket on rumors of an acquisition as it could've made the deal unprofitable.
> IIRC, ExxonMobil did the same when acquiring XTO. Exxon didn't want XTO's share price to skyrocket on rumors of an acquisition as it could've made the deal unprofitable.
That doesn't make sense. If shares rose on the merger rumor, Exxon could still offer a low price, since everyone knew XTO's price would collapse if the merge fell through.
During an acquisition the price on the shares of the acquirer goes down while the acquiree goes up. Since most mergers tend to be stock swaps rather than cash they would have to invest more shares than originally intended. If the merger falls through both would lose out as the acquirer would be seen as wasting a lot of money with nothing to show and the acquiree would be see as not so valuable.
With unencrypted communication, any insecure Wifi network is enough to "leak" your information, it's much worse then "only" Google/NSA/etc having access to it.
Whether you data is encrypted or not is really not relevant when the device's OS cannot be trusted. You can encrypt 'till the cows come home, but if the OS is stealing your data before you have a chance to encrypt it, your encryption is worthless.
I just want people to stop thinking that encryption is some magic bullet that will solve all communication trust issues.
It's not completely worthless - it's the difference between the targeted attacker having your data through the backdoor in your devices OS, and that attacker PLUS anyone on the unsecured wifi in the coffee shop having your data. Yes, it's a difference of degree, not kind; but it's still relevant.
For most people the bigger threat is going to come from the wifi networks they connect to at work, school, coffee shops, etc. If I owned a Motorola SmartPhone I would stop using wifi on untrusted & semi-trusted networks immediately.
Yes, they're taking all of your logins and passwords, including your Google account, and their back end servers are even occasionally logging in with them.
"Also interestingly, while testing Picasa and/or Youtube integration, Motorola's methods of authenticating actually tripped Google's suspicious activity alarm. Looking up the source IP in ARIN confirmed the connection was coming from Motorola."
That strikes me as curious - given that Google owns Motorola. I wonder if Facebook's "We detected a login into your account from an unrecognised device" thing gets triggered by this (and if not, is that because Motorola are for some reason attempting to log in to Picasa/YouTube with your credentials but not to Facebook, or whether Facebook are "filtering out" notifications from Motorola's ip addresses?).
Only when you are using the motoblur versions of those packages. Setting up a Google Account through the initial setup won't send the info to moto, setting up any account in your stock-homescreen for widgets will send your information to moto.
Not true. The article has been updated to clarify that this model does not use the MotoBlur interface. Apparently the code is still there, and still active.
If true, it's surprising that it took so long for someone to find this. Isn't it trivial to check on what your phone is sending off if you use wifi with a network scanner?
With that said I bet this is all for their social networking integration, some engineer thinking it would be cool for them to aggregate all your social data in the cloud, with no concept of the privacy implications.
One of the first things I did. I found HTC Desire always goes and grab http://xtra3.gpsonextra.net/xtra.bin on boot up. Couldn't find anything else "suspicious" though.
Why did it take someone 2 years to spot this????? Doesn't anybody care to watch what's going in/out of their appliances any more?
Furthermore, if this report is true: why aren't there more tools out there so that there are more eyes watching this stuff? Or is everyone just too busy being "social" ??
Not a lot of people know how or have the time to setup sniffers for their appliances and then go through the logs. Maybe like 0.001% can do that.
How would you sniff your device? WiFi and let your router do the thing? It wouldnt be difficult for your phone to stop suspicious activity when WiFi or VPN is turned on.
How do you sniff 3G? Can you sniff GPRS/GSM for any suspicious activity? Now we're talking 0.000000001%.
Android 4.x has vpn, so one way to sniff data is to setup openvpn and on your server tcpdump or wireshark everything.
To sniff 3G/GSM I believe one would have to root their phone and sniff it there as most people dont have 3G/GSM hardware. I dont know more about that, perhaps its as "easy" as rooting it and running tcpdump on the device and saving to sd-card from some of its interfaces?
Small nit to pick: IMSI + IMEI aren't enough to clone your phone - the SIM card stores a shared secret used for challenge-response authentication with the network, and the device (theoretically) can't read the secret, only send the SIM a challenge and get the response to send to the network.
I thought this is well know information. Motoblur always restores your accounts with passwords after factory reset. It is not even possible to start phone without logging in to your Motoblur account.
Isn't that the whole point of the Blur service...it logs into all these social services and combines them to produce a unified presentation? How else could it work?
Via the APIs each social service provides. They'd need only an oAuth token provided via your authentication, NOT full credentials. Worst case scenario, store the credentials on the device and authentication against each provider. There's no reason to ever send those credentials to a third party like Motorola.
Yodlee, the worldwide banking network, happily stores millions of people's BANK ACCOUNT passwords, with no interest in using a secure Auth API, and nearly no one cares.
Why should Blur care about keeping your FB credentials private?
I think the implication is that the aggregation is done server-side, so it needs your credentials there (not that that is a good idea or that sending credentials in the clear is not complete and utter incompetence).
Edit: upon closer reading, credentials were sent over a secure connection, but aggregated content was sent in the clear.
I'm sure the servers that this data is stored on are completely locked down from malicious employee access, are protected by a diligent legal department from overzealous government access and above all completely safe from malicious external threats. Oh and I bet the logging is water tight.
Basically, I need to make all of my technological tools out of raw steel, silicon and wood and then I'll be OK, but otherwise, somebody's monitoring me. Right?
The author seems perplexed that Motorola is not collecting information from Google or Gmail accounts. This is probably because they already have the information: remember that Motorola is owned by Google.
That theory makes no sense. This phone predates the Google purchase by over a year (and there were probably other phones with the same software even earlier). Also, Google has no plausible use at all for any of this data and misusing it would have huge PR and legal risks. Certainly most of Motoblur got trimmed out with the upgrade to 4.0, and from what I hear completely eliminated with 4.1. Just didn't matter for this phone, since it got stuck on 2.3.
It's pure engineering incompetence from Motorola, not a nefarious way to collect data.
That's the date when Google announced that they were intending to buy Motorola, but such an announcement is irrelevant. Until the deal closes, the companies are legally obligated to continue behaving as if nothing has changed. For example in this case there were anti-trust issues in at least China and the US.
> Fortunately, I already removed most of those apps when I first got the phone (it was loaded with enough bloatware),
Lucky you. I can't remove, for example, my NFL application (which came installed by default), without rooting the phone. I do enough Linux stuff everyday that I really don't want to bother with it on my phone.
Honestly, this kind of stuff makes me want to get as far away from engineering as possible. I simply do not want to make complete shit and sell it to people for a living. I'm very thankful that Steve Jobs showed us that there are still people who want to make beautiful products.
Motorola is doing scummy stuff but it's probably better for one's metal health not to sanctify a particular individual. Let's not forget the "nuclear war" waged over rounded corners.
I don't have a Disable option. I looked this up online when I got the phone, and at that time, you literally could not disable it. I have a fairly old version of Android, because Verizon decided to stop pushing out updates for my device a long time ago.
Further evidence that no matter how "free" and "open" Android may be in theory, manufacturer and carrier modifications make it no better (and in this case worse) than the iPhone in practice.
Does anyone know if this is a part of the Android Kernel? If it is it means they've modified the source code and they're obligated to share their changes.
Is this not grounds for a major investigation? I'm not familiar with the law, but I know that there's been a number of cases of people that added RATs to their applications they created to monitor all traffic on that computer and email them passwords.
That's pretty much the exact same thing. Although: 'Never attribute to malice that which is adequately explained by stupidity.'
I've been wondering if there's any reason to actually keep the original OEM modified operating system instead of replacing it with a vanilla Android installation. I haven't found any but it seems that there are now compelling reasons to not keep it in any case.
Question - Can I trust cyanogenmod binary?
Compile the rom from source.
Question - Can I trust cyanogenmod source?
????, no idea, have to trust some one. (Remembering an argument from GEB about uncertainty).
*" I was using my personal phone at work to do some testing related to Microsoft Exchange ActiveSync. In order to monitor the traffic, I had configured my phone to proxy all HTTP and HTTPS traffic through Burp Suite Professional - an intercepting proxy that we use for penetration testing - so that I could easily view the contents of the ActiveSync communication.
Looking through the proxy history, I saw frequent HTTP connections to ws-cloud112-blur.svcmot.com mixed in with the expected ActiveSync connections."*
Whoever said that this has nothing to do with ActiveSync; You are being disingenuous.
What are some of the good tools on Android to monitor all network traffic incoming or outgoing of the phone? Like a super sniffer app for TCP, SMS, 3G/4G data.
Did you even read the article? It has nothing to do with EAS or Microsoft; it's Motorola software siphoning pretty much all the user's credentials off to Motorola servers.
Yes, I did read the article in its entirety. Did you?
The author mentions ActiveSync more than once.
*" What I am going to do as a result of this discovery
As of 23 June 2013, I've removed my ActiveSync configuration from the phone, because I can't guarantee that proprietary corporate information isn't being funneled through Motorola's servers. I know that some information (like the name of our ActiveSync server, our domain name, and a few examples of our account-naming conventions) is, but I don't have time to exhaustively test to see what else is being sent their way, or to do that every time the phone updates its configuration.
I've also deleted the IMAP configuration that connected to my personal email, and have installed K-9 Mail as a temporary workaround.
I'm going to figure out how to root this phone and install a "clean" version of Android. That will mean I can't use ActiveSync (my employer doesn't allow rooted phones to connect), which means a major reason I use my phone will disappear, but better that than risk sending their data to Motorola.
I'll assume that other manufacturers and carriers have their own equivalent of this - recall the Carrier IQ revelation from 2011."*
ActiveSync is not only used for "Exchange Server" connections.
Judging by your past comments, you are merely another Microsoft shill who believes that they can do no wrong...
I'm sorry but as soon as you accuse someone of being a shill or try to dismiss someone's comments because of fanboyism, you lose all credibility for pretty much the next 10 years of your life. There aren't enough downvotes in the world for that crap.
To beat a dead horse, regardless of the opinions of the mindless:
[from the article]
*" I was quickly able to determine that the connections to Motorola were triggered every time I updated the ActiveSync configuration on my phone, and that the unencrypted HTTP traffic contained the following data:
The DNS name of the ActiveSync server (only sent when the configuration is first created).
The domain name and user ID I specified for authentication.
The full email address of the account.
The name of the connection.
As I looked through more of the proxy history, I could see less-frequent connections in which larger chunks of data were sent - for example, a list of all the application shortcuts and widgets on my phone's home screen(s)."*
Would someone please illuminate me as to why my reference to ActiveSync is alleged to be irrelevant to this conversation?
The author originally noticed the snooping because he happened to be examining the phone's traffic when the ActiveSync credentials were sent. If you actually read the entire article, you'll notice that credentials were sent for Exchange, Facebook, Twitter, Photobucket, Picasa, YouTube, IMAP, POP, Yahoo Mail, and Flickr. Of those, the Microsoft and Yahoo services are the only ones where passwords are NOT sent, meaning you leak less data using ActiveSync than you do using IMAP.
In all fairness, it seems that the implementation uses a middle server (pretty common in big companies where good engineering isn't a requirement) where log in data is sent, is stored in the users' profile and where timelines and other content is parsed before being sent back to the user's device, in a "dumb" format that the BLUR system can understand.
Nokia has a bit of the same for their low-end phones (understandably) and BlackBerry used to do much of the same. Yet, in those days, and in an Android phone that can easily connect to social networks on its own, this seems like a very unfortunate techncial decision.
In other words: the official Gmail app, Twitter or Facebook apps are unlikely to be "compromised".