Google's latest flagship smartphone raises concerns about user privacy and security. It frequently transmits private user data to the tech giant before any app is installed. Moreover, the Cybernews research team has discovered that it potentially has remote management capabilities without user awareness or approval.
[...] - Private information was repeatedly sent in the background, including the user’s email address, phone number, location, app list, and other telemetry and statistics. - The phone constantly requests new “experiments and configurations,” tries accessing the staging environment, and connects to device management and policy enforcement endpoints, suggesting Google’s remote control capabilities. - The Pixel device connected to services that were not used, nor explicit consent was given, such as Face Grouping endpoints, causing privacy and ownership concerns. [...] The phone beams data periodically Web traffic analysis revealed that the Pixel device continuously sends personally identifiable information (PII), such as the user’s email address, phone number, and location, to various Google endpoints, including Device Management, Policy Enforcement, and Face Grouping. Every 15 minutes, the device sends a regular authentication request to an endpoint called ‘auth.’ The phone also requests a ‘check-in’ endpoint around every 40 minutes, listing low-level features enabled on the phone, such as the firmware version, whether connected to WiFi or using mobile data, the SIM card Carrier, and the user’s email address. The location data is included in the request even when the GPS is disabled – the phone then relies on nearby Wi-Fi networks to estimate the location. “The Pixel 9 Pro XL repeatedly uses PII for authentication, configuration, and logging. This practice doesn’t align with the industry’s best anonymization practices and appears excessive. The smartphone transmits the user's email address, location, and phone number, even when utilizing a variety of other identifiers for the user and the device,” Nazarovas said. Location and other sensitive data may be integral to many of Google’s services and features, such as newly introduced Car Crash Detection. # The phone constantly checks for new code to run Google appears to have reserved some remote management and control capabilities for Pixel devices. Most Android phones have a “CloudDPC” package built in. It is used to manage enterprise devices, such as changing security policies, remotely distributing apps, wiping data, etc. “Worryingly, we observed CloudDPC reaching out to Google’s servers. This signals that the company may be able to control settings and perform actions on regular consumer devices if they choose to do so. It appears that users do not have full control of the device when a vendor can make changes without user knowledge and consent,” Nazarovas said. Moreover, the Pixel device periodically calls out to a Staging environment service (‘enterprise-staging.sandbox’) and attempts to download assets that do not yet exist. This reveals the capability of remotely installing new software packages. “This is concerning because development and staging environments are considered less secure and private. If a malicious actor gains access to the development endpoint or spoofs it, such situations might lead to data injection and potential remote code execution on Pixel devices,” Nazarovas said. The Pixel phone also maintained a nearly constant connection to the experiments and configurations endpoint. The researcher noted that the experiments’ endpoint may be used for A/B testing, trying new user interface elements, or advertisement campaigns on a small subset of users for a limited time. “All these services signal to us that the Pixel 9 Pro XL owners might be unable to reliably administrate the device or control what gets installed or deleted. During the experiment, we did not observe any harmful actions. However, the existing infrastructure could be used for remote control of the device or to install new software,” Nazarovas said. Continua su https://cybernews.com/security/google-pixel-9-phone-beams-data-and-awaits-commands/ Immagino non sfugga a nessuno la pericolosità di una backdoor che permette a Google non solo di sorvegliare scrupolosamente le persone, ma di inviare codice da eseguire sul loro cellulare. Far passare un politico o un giornalista scomodo per terrorista o pedofilo non è mai stato così facile. Giacomo
