From Nitrokey News:
» During our security research we found that smart phones with Qualcomm chip secretly send personal data to Qualcomm. This data is sent without user consent, unencrypted, and even when using a Google-free Android distribution. This is possible because the Qualcomm chipset itself sends the data, circumventing any potential Android operating system setting and protection mechanisms. Affected smart phones are Sony Xperia XA2 and likely the Fairphone and many more Android phones which use popular Qualcomm chips.«
This seems to affect all Fairphone models except FP1. Qualcomm chips:
FP2: Qualcomm Snapdragon 801
FP3: Qualcomm Snapdragon 632
FP4: Qualcomm Snapdragon 750G
I’ve added (.|^)izatcloud.com$ to blacklist in Pi-Hole (akin to nullrouting).
Interestingly, according to logs it seems to look it up at night:
Another thing to do is block outgoing port 80 (which I already do). Although I suppose it bypasses local firewall rules?
Also, yes sending and receiving data unencrypted is dangerous for multiple reasons. It can be easily intercepted and modified. What kind of OS is doing this, for example? Is it ever updated? Which client is being used, some kind of HTTP client?
It’s just a side note, but it somehow makes little sense to get (rightly) upset about unencrypted data transfers and then at the end of the article offer a contact email address without a public PGP key or similar to contact for free consultations…
That’s not to say that she/he didn’t raise an important point there.
well, that sounds quite convinced. why do you know, there is “no real google free android system”? Are you a “forscher”?
Not claiming, that /e/ is 100% google free, though (not even trying to be, in fact).
anyway, the main topic of this article is not google, but qualcomm. the findings are disappointing in general, and hopefully changing something after all.
and even though it’s not very surprising that chip drivers track the phone as well, it’s still surprising that they do that unencrypted.
actually I’d be very interested in a public statement of @Bas_van_Abel or @anon88190582 about why they agreed to a distribution of private data by qualcomm - and then even unencrypted.
thats a misquote. you mixed up “degoogled android systems” with “apps that come with google libraries preloaded or rely on GPS/microG”.
just because users tend to install google stuff on their devices (including half-working replacements like microG), the Android System might still be (have been) google free. anyway, that’s whataboutism. let’s please stick to the topic, which is not related to google but to Qualcomm.
And its not about installing Google stuff or Apps depending on GSF, as explained, only with microG its still connecting to Google.
As you dont believe the DivestOS developer and your user name indicates you understand german you probably might want to look at the Kuketz Blog.
The here linked article is not only about Qualcomm sending personal data home and is talking a lot about deggogle as well as Google free, in an in my eyes misleading context.
You cant be afraid of QC while neglecting that degoogle is not Google free and there are data send to Google even with degoogled custom ROM.
For me personally the most important part is them sending data through plain HTTP.
I’m not shocked at all that data is being collected. I’ll wait for some additional security people to chime in how extensive it is and if there are workarounds.
But, that any of it is done unencrypted is a problem regardless of the scale this is happening at. Even if you would consent to that data being sent that’s bad.
Data being sent to QC in the background and making the informed decision to use some Google services via microG are two very different things.
Just because both are bad from a privacy standpoint doesn’t make them the same.
I’ve the impression that the article is mainly advertisement for the NitroPh…
As they mention to have used a wireshark to analyze the traffic I can’t understand why there’s no concrete evidence in the article about the traffic sent. When it’s unencrypted it should be visible in a wireshark trace…
I dont think I said this and agree, I was just critizing that the article is mixing a lot together and in my eyes could have explained things better. This article is so far the only and main resource for this discussion and people seem to take it serious and I’m questioning it.
He is even suggesting Fairphones mission is data privacy
Another popular option which is frequently chosen for its privacy is the Fairphone. In spite of its reputation for bolstering users’ privacy, all Fairphone models contain a Qualcomm chip probably loaded with the AMSS blobware.
Maybe because all 3 FP4 and one FP2 in my household are always in flight mode at 2/3am in the morning I can’t find any trace of “izatcloud.net” except from my PC
(but at different times - and the only 4 such DNS requests in April so far):
)
?!!
Or maybe it’s another device in your household (and not your FP) sending the data/requesting DNS entry?
At least it sounds a bit strange that the request you find in your pihole is for xboxprod.izatcloud.net…
Can anyone confirm that their Fairphone requests the domain?
