Affected smart phones are Sony Xperia XA2 and likely the Fairphone and many more Android phones which use popular Qualcomm chips. The data is sent without user consent, unencrypted, and even when using a Google-free Android distribution. This is possible because the Qualcomm chipset itself sends the data, circumventing any potential Android operating system setting and protection mechanisms.
Has anyone
else replicated it? orhave more specific information on affected phone&chips?I tested with an Android phone that has a Qualcomm chip, but didn’t see any DNS query for izatcloud.net. My test involved monitoring wifi traffic using a separate device, rebooting the android device, and disabling/enabling wifi a couple times.
This post include a few plugs for the NitroPhone (which is unaffected), and appear on the NitroPhone’s vendor website. I wonder if they’re overstating how widespread the issue is, which would benefit their device’s marketing.
Update: found a couple fairphone forum threads that confirm the issue, and give more details.
- Forum post “Smartphones With Popular Qualcomm Chip Secretly Share Private Information With US Chip-Maker” on April 25 2023 where an user notice queries for izatcloud.net in his pihole logs “at night”. This would explain why my short test during the day didn’t catch this.
- Forum post “Telemetry, Spyware, list of privacy threats on FP3 Android 9” on Dec 19 2019, that links izatcloud.net to a GPS system app.
Looks like it’s less suspicious (but still crap):
https://mstdn.social/@larma@mastodon.social/110260142005927299- IZAT/XTRA is Qualcomm’s alternative to Google’s network location system. It’s entirely running in userspace, not in firmware. Its configuration and proprietary client library can be found on the /vendor partition of many qualcomm devices that run LineageOS or derivatives and is considered by LineageOS to be part of the device specific proprietary vendor blobs that need to be included for a fully functional system (even if it’s typically possible to run without it).
Good to know. Userspace means there’s some hope of disabling this, possibly without root.
A comment on this by GrapheneOS reddit account here:
NitroKey did not discover a backdoor. The post is very sensationalized and it’s unfortunate they didn’t run this by us first. The title used for the post here is editorialized and doesn’t match what the article actually states. This is not a backdoor.
XTRA (PSDS) is an entirely separate thing from Qualcomm’s IZat service. XTRA (PSDS) simply provides static downloads via HTTPS GET requests of GNSS almanac data, i.e. the predicted locations of satellites for around a week in the future. XTRA is just Qualcomm’s proprietary branding for PSDS which is also used by every other major GNSS (GPS, GLONASS, etc.) implementation including Broadcom.
IZat is a network location service similar to the Google and Apple services where devices can send a list of nearby cell towers, Wi-Fi networks and Bluetooth devices with their signal strength to receive back a location estimate. It also seemingly supports other features like location sharing. IZat appears to be a fairly privacy invasive service but it’s not enabled by default and is not directly related to XTRA.
Qualcomm used to use izatcloud.net for both IZat and XTRA which are entirely separate services. They moved XTRA to xtracloud.net to make it clear that it’s a separate thing. Some devices using an older SoC or configuration may still use the confusing izatcloud.net URLs leading to people mixing up these things up.
On Qualcomm Pixels, XTRA (PSDS) is implemented by xtra-service within the OS and SUPL is implemented by the cellular radio firmware. The OS chooses the URLs used for both XTRA and SUPL. Pixel/Nexus phones never integrated IZat. We have seen South Korean Qualcomm SoC phones providing the option to use IZat and it seems like it might be widely used there. It does not seem to be widely used internationally and is not simply enabled by default without users choosing to opt into using it. XTRA is normally always used since it’s just a static download.
On Tensor Pixels, PSDS is done with the standard AOSP PSDS implementation and SUPL is done within the OS by Broadcom gpsd. We prefer the Tensor Pixel approach, but it doesn’t mean that the Qualcomm approach is less private. We just prefer having control over it within the OS.
It is possible Qualcomm moved XTRA (PSDS) handling into firmware similar to SUPL on newer devices. We haven’t confirmed that ourselves since we aren’t currently doing research and development for newer Qualcomm devices. We do prefer the Tensor platform over Snapdragon, but this is barely a factor.
There are no known backdoors in either Snapdragon or Tensor, and no one has found any evidence of any backdoors. The post title here is simply wrong. People not knowing about XTRA (PSDS) or SUPL doesn’t make them a backdoor.
SUPL is much more of a privacy issue than XTRA, since SUPL involves sending a list of nearby cell towers with their signal strength to a server which helps with accelerating obtaining a satellite-based location lock.
We document these topics here:
In the meantime I got similar additional information as @loki did. Seems to be more advertising than information.
Should I delete the post?
Should I delete the post?
Please, no.
Maybe edit the title so that people not reading the comments (and the article) are aware? 🤔
Done.
👍