We pride ourselves on our approach to security here at RJS and have been keenly interested in the goings on with the NSA and the PRISM program and all the third parties that seem to have no problem coughing up your personal info, corporate giants such as Google, Facebook, Microsoft, etc.
Here’s a new one to add to the list: Motorola.
Ben Lincoln posted on his blog today some interesting facts he happened to stumble upon when troubleshooting an Exchange Active-sync setup with his Motorola Droid X2 cell phone. Turns out that Motorola is gathering ALL his log on credentials for third party sites/services and photos he’s taken with his phone, and passing quite a bit of that data unencrypted over HTTP.
In layman’s terms: all that data is interceptable by third parties, in fact, that’s how Lincoln initially discovered it.
We talked quite a bit about a similar issue with HTC and “Carrier IQ” being pushed to all their phones through an over-the-air update. Fortunately, Trevor Eckhart discovered that little gem and put in a lot of valuable time and effort into making it known: Eckhart pointed it out to the XDA ROM modding community and swift steps were taken to purge it from all custom ROMs. The resulting backlash against HTC was huge to the point that their stock and market share tumbled during 2012 and in 2013.
When you break the trust of your customer’s it is really hard to recover.
HTC licked their wounds and released out the HTC One, which has been aptly named since it’s their one last effort to salvage the company. I picked up the One this spring on vacation, rooted it a day later and installed a custom ROM that I know has been stripped of any carrier and manufacturer bloat and spyware.
Do I feel any more secure? Not really since the NSA is digging through all my email and phone traffic regardless of personal security steps I take.
Maybe it’s time to take a Jack Reacher approach and just unplug from everything and step entirely off of the grid …