Background
On May 6, 2023, an article titled "Hidden Backdoor in Qualcomm GPS Services Discovered" was published on WeChat [1], which caught the attention of QiAnXin Threat Intelligence Center.
The article was translated from a post published by a German security vendor Nitrokey on April 25, titled "Smartphones With Popular Qualcomm Chip Secretly Share Private Information With US Chip-Maker" [2]. The original article mentioned that smartphones using Qualcomm chips automatically send data with device identification information to Qualcomm's GPS service.
The article sparked discussions abroad, including some opposing views. For example, Martijn Braam's comment post on April 25 [3] believed that Nitrokey's description was exaggerated and suspected of promoting their own products. Nitrokey responded to the discussion at the end of the original article.
QiAnXin Threat Intelligence Center analyzed and interpreted the original Nitrokey article and various discussions, conducted testing and verification in a real environment using an Android device, and finally gave our opinion on the possible impact of this event.
Interpretation of Nitrokey's Original Article
Test Process
Nitrokey used an open-source version of Android system called "/e/OS" without Google components, which was installed on a Sony Xperia XA2 smartphone with a Qualcomm Snapdragon 630 processor. During the test, the GPS location service was explicitly turned off in the /e/OS installation configuration interface. The phone did not have a SIM card inserted, and network data communication could only be done through WiFi network. Wireshark was used to monitor data packets in the WiFi network.
After the phone was connected to the WiFi network, it communicated with the domain izatcloud.net belonging to Qualcomm, and the data was transmitted in plaintext via HTTP.
Connected Domain
The connected domain [4] is used for Qualcomm's Assisted GPS (A-GPS) location service XTRA.
The webpage has a link describing Qualcomm services (“Qualcomm Services Description”) [5], which includes the Qualcomm GNSS Assistance Service previously known as the "XTRA" service, and provides information on the data collected by the service.
The collected information is as follows:
| - |
|---|
| A randomly generated unique software ID that is not associated to you or to other IDs |
| The chipset name and serial number |
| The Qualcomm GNSS Assistance Service software version |
| The mobile country code(s) and network code(s) (allowing identification of country and wireless operator) |
| The type of operating system and version |
| Device make and model |
| The date and time of connection to the server |
| The time since the last boot of the application processor and modem |
| A list of Qualcomm (QTI) related software on the device |
| As with any internet connection, we will also receive the IP address the device used to send us data. |
Key Points
(1) Qualcomm's service collects user data without their consent
Nitrokey believes that the above-mentioned data sharing by Qualcomm was not mentioned in Sony, Android or "/e/OS" service content, and users were not aware of it.
(2) The article does not discuss a backdoor
Nitrokey mentioned in the update on May 2 that what they discussed is not a backdoor, and other reports have misinterpreted the content of the article.
(3) In its update on May 2nd, Nitrokey reiterated its position that the collection of device IDs and IP addresses by Qualcomm without user consent cannot be considered legal or ethical, and the transmission of such data was not encrypted.
Discussion of Nitrokey Article
Shortly after Nitrokey published the original article on April 25, there were discussions from many sources. Nitrokey then updated responses to these comments in the original article. We have checked out some related articles mentioned in these comments.
Martijn Braam
On April 25, Martijn Braam posted a comment [3] in response to the Nitrokey article. Regarding data collection of Qualcomm's GPS service, the author believes:
(1) This is for A-GPS (Assisted GPS) functionality to obtain GPS location more reliably.
(2) This function is not limited to devices using Qualcomm chips, and almost all devices with GPS and internet functionality use this method.
(3) Network IP is necessary for internet connection and cannot be considered personal data.
GrapheneOS
GrapheneOS is the operating system provider for the NitroPhone, a smartphone released by Nitrokey. On April 25, GrapheneOS published a technical review [6] in response to Nitrokey's original article, pointing out some technical inaccuracies in Nitrokey's article. The main points in the review are as follows:
(1) NitroKey did not discover a backdoor.
(2) Qualcomm's XTRA and IZat are two different services, but they share the same domain name for historical reasons.
Qualcomm's XTRA only provides GNSS data through HTTPS GET requests for static download files, and this assisted GPS service also appears in all other major GNSS (GPS, GLONASS, etc.) implementations, including Broadcom.
IZat is a network location service similar to the Google and Apple services where devices can send a list of nearby cell towers, Wi-Fi networks and Bluetooth devices with their signal strength to receive back a location estimate. It also seemingly supports other features like location sharing. IZat appears to be a fairly privacy invasive service but it's not enabled by default and is not directly related to XTRA. (IZat is also mentioned in Qualcomm's service list.)
Qualcomm used to use izatcloud.net for both IZat and XTRA which are entirely separate services. They moved XTRA to xtracloud.net to make it clear that it's a separate thing. Some devices using an older SoC or configuration may still use the confusing izatcloud.net URLs leading to people mixing up these things up.
(3) There are no known backdoors in Qualcomm Snapdragon chips.
On Qualcomm Pixels, XTRA (PSDS, Predicted Satellite Data Service) is implemented by xtra-service within the OS and SUPL is implemented by the cellular radio firmware. The OS chooses the URLs used for both XTRA and SUPL.
There are no known backdoors in either Snapdragon or Tensor, and no one has found any evidence of any backdoors. The post title here is simply wrong. People not knowing about XTRA (PSDS) or SUPL doesn't make them a backdoor.
On April 27, GrapheneOS posted [7] confirming that Qualcomm's XTRA daemon sends device-related data without asking the user about it.
On April 30, GrapheneOS summarized [8] that " We weren't trying to say that anything was wrong with NitroKey's product only that their post has been corrected and the issue they talk about is real, but they got some important details wrong."
On the same day, GrapheneOS released an update [9] that stops XTRA service daemon on Qualcomm devices from sending the device serial number in the User-Agent header in HTTPS requests and mentions that the User-Agent header content will be completely removed later.
Computer Base
On April 26, the German IT media website Computer Base reported on Nitrokey’s article and quoted statements from Qualcomm [10]. Computer Base believes that using an unencrypted connection is not appropriate if data exchange is necessary for certain services. Qualcomm's statement is that it has been using HTTPS connections on all devices since 2016.
The Register
On April 27, The Register also reported on this incident [11]. The report quoted a comment from a former mobile industry executive, who said that "what goes on in phones at a low level isn't really understood by the general public." Almost all chip manufacturers “are going to have all kinds of different fetches that they're going to make [over the network]”, and due to the complexity of the software, there are a lot of old and new software, these issues may “been there forever”.
In addition, The Register also mentioned that mobile device data transmission may cause problems in high-risk environments, especially when the network IP address is combined with hardware identification information.
Real Environment Testing and Verification
As Nitrokey's article did not display the HTTP packet information communicating with izatcloud.net, the QiAnXin Threat Intelligence Center conducted testing and verification of the reported situation. The test device used was a Google Pixel XL, equipped with a Qualcomm Snapdragon 821 chip.
After the test device connected to WiFi, the content of the packets communicating with izatcloud.net was captured. The file data for A-GPS services is requested to be downloaded from izatcloud.net's subdomain xtrapath[1-3].izatcloud.net through GET requests. The data passed to the server is stored in the User-Agent content of the GET request, with each part of the information separated by "/". The device model ("Google/Pixel#XL/marlin") is one of the more obvious pieces of information.
Through testing, it can be seen that, as Nitrokey's article stated, Qualcomm collects device data when providing GPS services. The test device model, Google Pixel XL, was released in 2016, which also indicates that the collected data is transmitted over the network in plain text at least on older devices.
Impact Analysis
Although the uploaded data is limited, Nitrokey believes that this data can create a unique device signature for behavior tracking. While information released by GrapheneOS indicates that the device data collected by Qualcomm GPS services is transmitted via HTTPS, testing has found that data transmitted by this service on devices released at least as early as 2016 was not encrypted and can be easily intercepted by malicious actors.
It can be seen that the client access volume of the relevant domains xtrapath[1-3].izatcloud.net visited during the testing is very large, and the number of affected terminals should be able to be accurately assessed by the internet providers.
It is also worth noting that Nitrokey turned off the use of GPS location services in the user interface during testing, but the device still sends requests to Qualcomm's GNSS assistance service, meaning that this functionality is not fully controlled by the user. Even if the user does not want to use GPS services, Qualcomm's GNSS assistance service will automatically transmit device-related data.
Conclusion
Combining the discussions from all parties and actual testing, it is obvious that the so-called "Qualcomm hidden backdoor" is exaggerated. The focus of this incident is that Qualcomm collected device data without the user's awareness or explicit authorization while providing GPS services, which is unacceptable for those who value personal privacy. Moreover, on older devices, this data is transmitted in plain text over the network, creating a risk of interception and exploitation.
As we have seen in the discussions about this incident, various mobile device hardware and software vendors collect data to some extent when providing services. In today's environment where privacy protection is increasingly important, data collection methods used in the past may no longer be suitable. Although there are historical legacy issues due to the complexity of hardware and software, if vendors do not pay more attention and handle user privacy protection with caution, events like Qualcomm's collection of device data in an irregular manner that was ultimately misunderstood as a "hidden backdoor" are likely to happen again.
Reference Links
[1]. https://mp.weixin.qq.com/s/gRIP9NzvTMBfSrsCWvT4Ew
[2]. https://www.nitrokey.com/news/2023/smartphones-popular-qualcomm-chip-secretly-share-private-information-us-chip-maker
[3]. https://blog.brixit.nl/nitrokey-dissapoints-me/
[4]. http://izatcloud.net/
[5]. https://www.qualcomm.com/site/privacy/services
[6]. https://lr.slipfox.xyz/r/privacy/comments/12yii9u/german_security_company_nitrokey_proves_that/jhojlr7/?context=3
[7]. https://grapheneos.social/@GrapheneOS/110271570368417397
[8]. https://grapheneos.social/@GrapheneOS/110282956527624208
[9]. https://grapheneos.social/@GrapheneOS/110284403992561226
[10]. https://www.computerbase.de/2023-04/standort-dienst-qualcomm-widerspricht-vorwuerfen-der-datensammlung/
[11]. https://www.theregister.com/2023/04/27/qualcomm_covert_operating_system_claim/