14 DAY TRIAL // Security researcher Ben Lincoln has discovered that Motorola Droid X2 Android phones, and possibly other Motorola models, silently send a considerable amount of sensitive information back to the company’s servers via the Blur user interface.
The expert has found that the email addresses and passwords for services such as Facebook, Twitter, Photobucket, Picasa and YouTube are sent to Motorola.
While, in most cases, passwords are sent over HTTPS, other communications – such as the Facebook and Twitter posts written and read by the user, and contact details – are sent via HTTP.
The domain name, username, email address, and connection name for Exchange ActiveSync are also sent via HTTP.
Lincoln says that phone IMEI, phone number, a list of installed applications, phone call and text message statistics, and possibly even location information are also collected.
Interestingly, Motorola’s Terms of Service reveals that some information is collected, but it clearly states that the content of communications is not.
“I can think of many ways that Motorola, unethical employees of Motorola, or unauthorized third parties could misuse this enormous treasure trove of information,” Lincoln explained.
“But the biggest question on my mind is this: now that it is known that Motorola is collecting this data, can it be subpoenaed in criminal or civil cases against owners of Motorola phones? That seems like an enormous can of worms, even in comparison to the possibilities for identity theft that Motorola's system provides for.”
The researcher also highlights that some flaws in the way the information is transmitted could be leveraged by cybercriminals to set up a wireless access point in a public location and intercept the communications of all Motorola device owners that walk by.
It’s important to note that the Blur UI is not used on the Droid X2 phone on which the expert tested the attack, at least not in theory. However, Lincoln believes that, on many devices, Motorola might have simply changed the UI, but not the underlying Blur functionality.
Additional technical details and steps to reproduce the attack are available on Lincoln’s blog.