Nitrokey, a German security firm, recently published a report alleging that it has identified an undocumented function in Qualcomm Snapdragon processors that captures and transfers user data straight to Qualcomm servers.
The functionality is not dependent on the Android operating system, therefore data is transferred even when the operating system is not present. Nitrokey installed a Google-free version of Android on a Sony Xperia XA2 phone equipped with a Qualcomm Snapdragon 630 processor and discovered that data was being transferred to Qualcomm’s izatcloud.net service.
Qualcomm chips collect and transmit user information such as the unique smartphone identifier, chip name, chip serial number, XTRA software version, mobile country code and mobile network code, type and version of the carrier or operating system, device manufacturer and model, program list on the device, IP address, and other data, according to the report. The data is delivered to Izat Cloud via the unsecured HTTP protocol with no further encryption, making it available to anybody who can read the unique identification data.
Unencrypted data transmission from Qualcomm chips
This feature impacts around 30% of phones globally, including Android phones and iPhones equipped with Qualcomm communication modules. Nitrokey’s conclusion in the blog post is that Qualcomm’s customized AMSS firmware takes priority over any operating system and, because it uses the HTTP protocol, a unique device signature can be created based on the collected data, which can be accessed by third parties.
Qualcomm reacted to the issue, noting that the data transmission is in accordance with the XTRA service’s privacy policy, which permits the business to gather the aforementioned user data. However, the fact that the data is transmitted using the insecure HTTP protocol has raised concerns about user privacy and security.
This research emphasizes the need of ensuring that user data is sent safely and in accordance with privacy regulations. It also emphasizes the importance of Internet businesses being more transparent about the data they gather and how it is utilized.
As more gadgets connect and gather data, it is critical that people understand how their data is being used and have the power to regulate it. Google’s new developer update requires all Android apps to include a feature that allows users to remove their accounts and data, reflecting the growing emphasis on user privacy.
