Sign in / up

back to article The truth about those claims of Qualcomm chips secretly snooping on you

Cellphones using Qualcomm chipsets may transmit data sometimes classified as personal information, specifically IP addresses, back to Qualcomm. But where such transmission is occurring, it's not secret and it has been going on for years. That doesn't mean, however, there's no privacy risk in Qualcomm-based phones or in devices …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. b0llchit Silver badge
    Big Brother

    The phone privacy fallacy

    The only thing I wouldn't call it is 'covert,' because it's been there forever.

    Wow, that is like saying: We've been spying on you all the time, but that is no secret because we've done it all the time and you just didn't know about it.

    That is not going to make it right...

    Either way, if you want real privacy, don't use a mobile phone. Any phone can be roughly located within a 1000m2 circle or so using cell tower triangulations. Encryption of cell-phone calls is abysmal and compromised for "legal intercept" purposes. Lets just not speak of the state of security and privacy of software, apps and OS, on "smart" phones, shall we. Real privacy and a smart/mobile phone are mutually exclusive.

    49 0 Reply
    1. Graham Cobb
      Reply Icon

      Re: The phone privacy fallacy

      We should insist that all personally identifiable information being communicated outside the device is listed somewhere, for all devices. That includes any form of "identifier" for the phone, SIM, or any other component or attached device. So, obviously, IMSI, etc, but also any serial number for any hardware or chip, or any other id which can identify the user or device. That is a reasonable request and is probably a legal requirement in most jurisdictions.

      Even the IP address may be important. Observing a sudden increase in the number of mobile phones using IP addresses associated with a military network might give away information about an operation about to start.

      13 0 Reply
      1. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: The phone privacy fallacy

        If US news websites (amongst other sites) won’t let you visit/view their site because of GDPR and their handling of your personal data then yes your IP address is personal data.

        7 0 Reply
        1. NoneSuch Silver badge
          Reply Icon
          Trollface

          Re: The phone privacy fallacy

          "A Qualcomm spokesperson disputed the research."

          A corporate spokesperson criticizing empirical research because it makes them look bad? I'm shocked! Shocked, I tells you.

          4 1 Reply
      2. cyberdemon Silver badge
        Reply Icon
        Big Brother

        > Either way, if you want real privacy, don't use a mobile phone.

        Don't use a laptop either. Or a desktop. Or a "Smart TV" or "smart" anything. Your only hope of privacy will be a vintage computer, but this will no longer run any modern DRM/security-protected software requiring a TPM chip. (don't forget to turn on Automatic Updates, kids. Otherwise there is a danger that your software might continue to work on your Unauthorised hardware!)

        All modern laptops (and some desktops too) have a Pluton TPM 2.0 from Microsoft, which spies on you from the CPU level "just to make sure you aren't cheating in games" apparently. Maybe that's why they want to buy out Activision Blizzard, so they can foist Pluton onto the majority of gamers as part of the DRM package, and thus try to normalise the presence of their spy-chip in the desktop market. (Just like "Anti theft" was never the real reason behind "Intel Anti Theft" which later became "Intel Management Engine" which provides a backdoor into every Intel CPU. And Windows Modern Standby is nothing to do with saving energy- it does quite the opposite; it's there to enforce that the backdoors are active at all times, even while your laptop is supposed to be turned off)

        And if you think you are safe with Apple, think again. They have the equivalent of Pluton in their T2 security chip. It's a right pain in the arse apparently to get any third-party OS to work on a machine that uses this chip.

        Then once they reach critical market penetration, the AUS/UK/US governments (in that order, probably) will make it a legal requirement to have a spy chip in every computer/TV/phone, otherwise you must obviously be a terrorist/paedophile/unperson. It will probably come with their "ban on encryption" laws - i.e. if we can't decrypt your data using our spy chips, then you must be a criminal, or er, a spy.

        2 1 Reply
    2. Snake Silver badge
      Reply Icon

      Re: it's been there forever

      FWIW [they're] not lying, IZat has been on my Android phones pretty much since I switched to Android.

      ...which is why I not only opted out, but I killed the service on earlier phones (where it was allowed).

      Let's face the reality: most people expect someone else to do the work of "privacy" and "security" for them, and therefore take almost no effort in researching and doing the necessary mitigation work themselves. But then these very same people complain when that "someone else" doesn't do the work that they thought was being done for them. These are the very same people who are up in arms in a belief that the government / Big Business is spying on them, but post their daily bowel movement timings on Twitter, and grant their credit card company intimate knowledge of their daily activities by using said credit card for every single little £2 purchase.

      7 3 Reply
      1. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: it's been there forever

        Yah, but data can be made to say what you want. Like, I take a bunch of cash out my account every payday. I use some, save some. When I got a pile, I buy me stuff. Got no record nowhere about it. Got guns and ammo and survival junk nobody know I got neither. When I get my stuff I got the phone at home next to my chair with my favorite channel on the tube. Phone don't move, so that means I don't move. I got a habit of not touching my phone when watching the tube so nothing strange there. Wanna defeat tracking, control what they track. Anon, now figger out who I am.

        2 9 Reply
        1. Anonymous Coward
          Reply Icon
          Anonymous Coward

          Re: it's been there forever

          "Anon, now figger out who I am."

          Bill, it's your mother. Get your ass off the computer, get out of the basement and do those dishes! You'll be late for your shift at McDonalds.

          11 0 Reply
        2. An_Old_Dog Silver badge
          Reply Icon

          Bad News, Anon

          Did you really think your purchases with cash were anonymous?!

          Did any of the stores you visited have security cameras? (I expect first-world banks and gun stores have security cameras.) Did any of the houses or businesses you passed by on your way to the bank or gun store have video cameras which saw you?

          Were any of those cameras supplied by Google, Amazon, ChineseCheapCo, etc? If so, your face was recorded, and tagged with the location. Was that data sold on or traded? Certainly. Were facial-recognition techniques applied? Mayyyybe ... Will facial-recognition techniques be applied to that dataset in the future? Certainly.

          1 0 Reply
          1. trindflo Silver badge
            Reply Icon

            Re: Bad News, Anon

            Good. Also cameras in cars (dashcams) set to automatically record based on motion whether the car is occupied or not.

            0 0 Reply
    3. adam 40
      Reply Icon
      Mushroom

      Stick a firewall on it

      I use a no-root firewall, and it's amazing what that picks up from apps on the phone.

      (It works by pretending you're working over a VPN).

      And I am sure, even that is evaded by a lot of the O/S.

      If I could be bothered, I'd stick my phone on a home basestation and wireshark log it all. But for now, I treat it as if it were fully hacked and open to all and sundry. So no banking, nothing that needs to be secure, is on the phone.

      10 0 Reply
  2. Anonymous Coward
    Anonymous Coward

    /e/OS team reply

    The /e/OS team also replied about the Nitrokey statement, unveiling possible other concerns at:

    https://community.e.foundation/t/qualcomm-chipsets-data-collection-linked-to-the-a-gps-service-in-e-os/48982

    2 0 Reply
  3. Anonymous Coward
    Anonymous Coward

    I seem to remember that Chinese hardware makers have been pilloried and banned with much less evidence of remote data collection. So, it's definitely good to reduce Nitrokey's* claims to something more realistic, now why not do the same analysis for all hardware makers?

    * Full disclosure: a few years back, I got Nitrokey hired for a small-but-important special project, and it was a pleasure working with them.

    8 0 Reply
  4. ChoHag Silver badge

    Thomas had never seen such bullshit

    Just because consumer-fucking has been happening while the fucking vendors did everything short of outright lying to disguise the fact, doesn't mean it's fine.

    This story is a rehashed press release in the same manner as the article it's "reporting" on.

    8 2 Reply
  5. Zippy´s Sausage Factory

    I wonder how many EU data protection bodies are going to wake up and start paying attention to this story?

    5 0 Reply
  6. Blackjack Silver badge

    [Doing so reveals to the servers the public IP addresses of the phones plus, according to NitroKey, some device metadata. That's really what this all boils down to.]

    If you can't turn it off and is on by default then yes it is a privacy problem.

    If you can't think what is wrong with that then you shouldn't be writing articles about privacy.

    16 2 Reply
    1. usbac
      Reply Icon

      We can down-vote posts here in the comments, can we somehow down-vote the article's author?

      9 1 Reply
      1. Jamie Jones Silver badge
        Reply Icon

        In times long ago, there was an option to upvote articles (I can't remember if you could downvote too)

        I don't know why they removed it - I would have thought the feedback would be helpful - though I guess some staff disaproved...

        3 0 Reply
  7. Anonymous Coward
    Anonymous Coward

    Relativity

    It all depends on how you characterise personal data and user identity.

    True, the phone firmware deals only with technical parameters and nothing directly personal.

    But when aggregated and correlated in a database, these parameters create a fingerprint unique to the user. It only takes one snatch of say the current IP address from elsewhere, and the user's personal identity is known for as long as they use that device.

    So exposing all that techy fingerprint over unencrypted https is a gross lapse of privacy protection.

    But you try to get the industry to stop changing the subject by yelling how the don't directly spy on you.

    (AC, even if this nest of Vultures does use https.)

    9 1 Reply
  8. martinusher Silver badge

    What did you expect?

    In order for a mobile phone to function the mobile networks -- not just 'your' network but every network -- will need to know what its unique identifier is and where. The protocols also require the phone to accurately know the time. Since location data for the mobile network isn't accurate enough for emergency calling there's been a requirement in the US for decades that phones incorporate GPS or similar to know where they are.

    There's no magic to any of this, its just the engineering fact of life. The tricky -- I'd say impossible -- bit is trying to persuade marketing types that this information is private and shouldn't be used to push advertisements at us.

    I think that many people don't understand the reality of wireless. I've read articles talking in scathing terms about such and such a user 'slurping' up WiFi addresses, for example. Its the sort of thing that someone who doesn't understand how the MAC layer works -- or doesn't even realize there is a MAC layer -- would write based on their experience of wired networks. Cellphones are no different -- there is spectrum, information is placed on and picked off that spectrum but there's no notion of 'frequencies' in the old-fashioned steam radio sense.

    4 4 Reply
    1. Dog11
      Reply Icon
      Big Brother

      Re: What did you expect?

      > there's been a requirement in the US for decades that phones incorporate GPS or similar to know where they are.

      Sure. But what legit requirement is there to share that info outside the phone when not making an emergency call?

      I've got "location" turned off, and some apps won't work that way. Is my phone still sending location data to anyone (outside of emergency calls)? Obviously the local cell towers roughly know where you are based on signal strength, but they really only need that to determine which tower has the best signal. (It's also obvious that telcos unnecessarily retain that data to make it possible to snoop later, but that's a different issue than the chipset spying.)

      5 0 Reply
      1. Xalran Silver badge
        Reply Icon

        Re: What did you expect?

        Sure. But what legit requirement is there to share that info outside the phone when not making an emergency call?

        Since it can be collected easily from external platform without using anthing contained inside the phone the point is moot.

        Before we had GPS chips in (almost) all our phones, the Mobile Positionning was done ( in 2G to boot ) in servers, and only the SRI/SRI-ACK messages are used to perform that location... since these messages are exchanged on a regular basis between the phone and the network ( it's a keep alive of some sort, as well as a way for the mobile to know which cell tower it's tied to and for the cell tower to know which mobiles are connected to it. )

        It's something called CGI+TA ( Cell Global Identity + Timing Advance ) location.

        With some math, the location can be done at 10ish meter or less in urban areas, and the only requirement on the mobile side is that the mobile is on, and has a SIM card inserted.

        2 0 Reply
    2. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: What did you expect?

      There's a big difference between the phone registering with the local cell tower operated by the phone company, and an unencrypted data connection containing that information and more being sent to a third party in another country!

      11 0 Reply
  9. Snowy Silver badge
    Mushroom

    The chipset

    Should not be downloading anything!!!

    6 0 Reply
    1. hugo tyson
      Reply Icon
      Black Helicopters

      Re: The chipset

      Yeah well it's not the chipset covertly doing something via a sekrit backdoor, without the CPU et al knowing, like Intel's secret onboard management chip with its own MINIX OS et al, it's the software that gets the assistance data for Qualcomm's GPS chipset. All GPS systems do stuff along these lines, sending lists of audible WiFi and cell towers to a server to receive in return relevant ephemeris and almanac data (describing exactly where the satellites are), instead of downloading/decoding all that data at 50 bits per second (sic) from the satellite signals like a standalone old-skool GPS would have to.

      The conflation of "phones with chipset X do this" and "chipset X does this" ain't quite valid; it's got to be software.

      Methinks the real issue, if any, is that the comms is not encrypted, rather than that it goes to a Qualcomm server /per se/.

      1 0 Reply
      1. Graham Cobb
        Reply Icon

        Re: The chipset

        Not quite. The real issue is that it isn't under the control of the user.

        I rarely use my phone for location services. I should be able to leave them off and only turn them on if I want them. The 50 bps is fine for me most of the time.

        Don't put privacy-impacting services on my phone without telling me and providing on/off switches!

        2 0 Reply
        1. An_Old_Dog Silver badge
          Reply Icon

          Privacy-Impacting Services on Your Phone

          The manufacturers/mobile carriers will grant your wish by loading 1,269 privacy-impacting services on your phone, "telling" you about them in the middle of a mega-pages long EULA or privacy notice, and hiding the on/off switches in a maze of random menus. And none of the general apps, such as "Phone" (used to call or receive phone calls) will work correctly with these services disabled.

          Happy now?

          2 1 Reply
  10. Anonymous Coward
    Anonymous Coward

    "He noted the Qualcomm-initiated HTTP communication does not contain any private data. "It's just downloading .."

    ..and the moron contradicts himself in two sentences: IP-address is definetely private data, by legislation (in EU). By downloading anything, you leave it into logs, with browser ID string (either its own or yours). So he, and Qualcomm, lie. Not a surprise.

    Is this Claburn an american as he seems to have serious problems to understand what is "private data"? Anything which identifies a person (or small group of persons). IP of a phone definitely is one of those.

    11 1 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      America... where "land of the free" applies mainly to the corporations, and the citizens seem happy with that!

      6 0 Reply
      1. abstract
        Reply Icon

        Free? Lol that means nothing especially in western countries where there are laws for all and everything but only against the people. The USA are a military state that manipulates and alienates the people. That's all.

        Free, democracy, our values, bla bla, yeah sure you count. You just pets.

        1 1 Reply
  11. Cuddles

    The important part

    "a list of software on the device"

    The article author and Qualcomm both go to a lot of effort to dismiss the concerns due to things like IP address and device IDs being a necessary part of any communications. And that could well be a reasonable argument. But the claim is that the gathered data goes a lot further than that. I can't see any possible reason that location data to improve GPS accuracy would require a full list of installed software. It's not needed to enable the communication, it's not relevant to GPS at all, it serves no purpose other than to fingerprint a device to allow identification of individual users. Qualcomm waffles a lot, but fails to actually address that part of the claim at all. The author generally appears to seek to minimise the issue and just says that lots of people collect various data so it can't be a problem, but again fails to address the actual claim that Qualcomm appear to be fingerprinting devices for no explained reason.

    As others have noted, it also seems a somewhat interesting take to describe unique device IDs and precise location data as "non-personal, anonymized data". And that's the parts they explicitly admit to collecting.

    9 0 Reply
  12. VoiceOfTruth

    Nice bit of whitewashing

    Nothing to see here when it's American companies doing the spying. Move on.

    Imagine if it was Huawei. The headline would be "Huawei confirmed to be snooping".

    If you want to be a shill, be a shill. If you want to be a reporter, leave your shilling at the door.

    3 2 Reply
  13. Jeff 11

    Carrier networks use some form of NAT so your phone's IP address isn't unique. They have to do this because there simply isn't enough address space on IPv4 for every mobile phone to have one. It is certainly not a reliable unique identifier. And making *any* HTTP(S) request reveals your (gateway's) IP address to the third party you're connecting to.

    I haven't seen a refutation of the far more serious point about what that HTTP request contains - if it contains fingerprint information in a header or request body then that's a legitimate privacy concern. From looking at the 'advisory' it only points to Qualcomm to have customer agreement in their privacy policy - a typical FUD move - and there is nothing to suggest that this is what is being done in this instance.

    In this instance it's probably a simple GET request with no such privacy-violating fingerprint being sent - if it was anything else they'd show their proof.

    2 0 Reply
  14. Paul Hovnanian Silver badge

    I hope ...

    ... this disqualifies Qualcomm from use in any security sensitive government networks.

    2 0 Reply
  15. abstract

    Americans spying on the world? What!? where is the news.

    Those to blame are the idiots who continue to swallow the American propaganda. The world needs to seriously start defending itself against those barbarians.

    2 0 Reply
  16. Anonymous Coward
    Anonymous Coward

    This sound like when my ancient phones would download a file from Nokia or Ericsson to assist with A-GPS

    0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like