We’ve heard the news that the NSA is collecting information on Verizon customer’s phone data but did you know that Motorola is also doing the same? Security engineer Ben Lincoln claims that the Motorola X2 and quite possibly other models are sending back to the company sensitive user data such as email addresses, usernames, passwords, and GPS coordinates from pictures taken.
Lincoln discovered this when he monitored the traffic between his Motorola Droid X2 and that of Motorola’s servers. Not only did he discover that sensitive data was being sent but they were also sent on an unencrypted channel, using HTTP instead of HTTPS. This data could easily be intercepted by anyone.
In a blog post made by Lincoln he said that “In June of 2013, I made an interesting discovery about the Android phone (a Motorola Droid X2) which I was using at the time: it was silently sending a considerable amount of sensitive information to Motorola, and to compound the problem, a great deal of it was over an unencrypted HTTP channel.”
The tests showed that Motorola is collecting email information from various online services that phone users are using such as Facebook, Twitter, Photobucket, Picasa and YouTube. The IMEI number as well as any apps installed in the device, and phone and SMS statistics are also being collected.
Every nine minutes the device also sends out detailed information regarding the home screen. This includes what shortcuts are placed and what widgets are running.
Apparently Motorola’s Terms of Service reveals that the company collects certain information from its devices but it specifically says that communication data is not collected.
Lincoln further said that “I can think of many ways that Motorola, unethical employees of Motorola, or unauthorized third parties could misuse this enormous treasure trove of information.”
“If you’re still unsure why I think this is a problem, ask yourself this: if you bought a desktop PC running Windows, then discovered two years later that the hardware manufacturer had installed modified versions of standard Windows software like Outlook Express and Internet Explorer which – without any indication to the user – sent your passwords to, and routed other traffic through servers owned by the PC manufacturer instead of connecting directly to the actual websites and mail servers, would you be OK with it? If not, then why are you when it’s a phone instead of a desktop PC?”
Motorola has not given an official statement yet regarding this.