Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Cellphones Handhelds Privacy IT

Sprint Faces Backlash For Adding MDM Software To Devices (csoonline.com) 123

itwbennett writes: On Wednesday, Sprint customer Johnny Kim discovered an in-store technician adding MDM software to his personal iPhone 6 without prior notice or permission. Kim took to Twitter with his complaint, sparking a heated conversation about privacy and protection. One expert who commented on the issue told CSO's Steve Ragan that 'it's possible Sprint sees the installation of MDM software as an additional security offering, or perhaps as a means to enable phone location services to the consumer.' But, as Ragan points out, 'even if that were true, it's against [Sprint's] written policy and such offerings are offered at the cost of privacy and control over the user's own devices.' (MDM here means "Mobile Device Management.")
This discussion has been archived. No new comments can be posted.

Sprint Faces Backlash For Adding MDM Software To Devices

Comments Filter:
  • Nice summary! (Score:5, Insightful)

    by Just Some Guy ( 3352 ) <kirk+slashdot@strauser.com> on Thursday November 05, 2015 @02:37PM (#50872525) Homepage Journal
    Credit where it's due: adding the definition of "MDM" at the end was a nice touch for those not already in the know.
    • by HiThere ( 15173 )

      Extremely helpful. I kept reading it as a misspelled Man (in) The Middle...and kept wondering what the D could actually stand for.

      Sounds like I got the meaning correct, though.

    • by eionmac ( 949755 )

      Concur.

  • by U2xhc2hkb3QgU3Vja3M ( 4212163 ) on Thursday November 05, 2015 @02:39PM (#50872539)

    It's not their devices and they should not be installing software without the express permission of their owners.

    Fight for your bitcoins! [coinbrawl.com]

    • If it was your device, why can't you root it legally?
    • by Holi ( 250190 ) on Thursday November 05, 2015 @03:04PM (#50872719)
      Which is their stated policy. Personally I see this as some dissatisfied tech who planned on trying to access the phones later for pics and credit card numbers.
    • by Anonymous Coward

      Sprint recently changed to a "iPhone forever" lease plan where you lease the phone for $5 per month, plus additional undisclosed add-ons that make it actually $10 per month. But, you're leasing the phone. You don't ever own it.

      They still offer you the option of buying the phone outright for ~$700 and no subsidy, if you want to "avoid paying them" the monthly lease rate.

  • by Holi ( 250190 ) on Thursday November 05, 2015 @02:42PM (#50872557)
    When Sprint has policies in place that actually forbid that action without a customer request. Isn't it more likely you have an unethical tech who is looking for future access to phones?
    • Except, it is a Sprint owned MDM and domain.

      Any sufficient level of incompetence is indistinguishable from Malice. Which is the more likely scenario, Incompetence or Malice? Knowing Sprint Techs, Incompetence is my initial guess.

      Now, if it was something out of Corporate, I would assume Malice. Just because it usually takes evil to get to the top of such organizations.

      • by Holi ( 250190 )
        I was claiming malice on the part of the tech hence the term unethical.
        • Here's the alternative: the technicians are so incompetent they don't know the meaning of individual steps and just do them by wrote, have no idea what the policy says, and don't give a fuck about your phone.

          Essentially a malicious level of incompetence.

          • by sherr ( 3751965 )
            "Rote".

            Sorry if I'm being a Nazi, I never know if someone just typo'd something or acutely used the wrong word, and if so if they would appreciate knowing the correct one or not.
            • Sir, I would love to commend you on reaching level 7 in your quest to be a full-fledged pedant.

              And while your goal of offering enlightenment to others is commendable, I must caution you that pedantic behavior is, ultimately, a reward only to the one opting the exhibit the pedantry.

              But, with great haste and alacrity I will endeavor to send my endorsement letter to the Counsel of Tedious Grammatical Endeavors. ;-)

  • Not according to TFA (Score:5, Informative)

    by tomhath ( 637240 ) on Thursday November 05, 2015 @02:46PM (#50872585)

    Isn't it more likely you have an unethical tech who is looking for future access to phones?

    Reading the article (yea, I know) it seems Sprint gave him several different reasons why it was installed. None of which included rogue technician.

    • by Holi ( 250190 )
      Sprint support staff gave him several reasons. I took that to mean the call center jockeys. It does not seem like it was Sprint Corporate telling him that, it was more like barely trained support staff who probably don't even know what MDM is. We also know it was a tech who manually installed it so the whole pre-installed claptrap was obviously pulled out of someones ass. I would not be surprised if some tech was installing it on many phones knowing it would give him access at a later point. And no Sprint i
  • Dumbphone FTW (Score:1, Interesting)

    by Anonymous Coward

    Every time I want to upgrade to a smart phone I think back to the 1990s when I didn't have a cell phone. Then about issues like this.

    Having a tiny portable phone in my pocket: $20.
    Not having to treat it like a crotchety piece of IT equipment: priceless.

  • "Did you not want to installed it? Let us know!"

    Also - clearly he didn't fucking want it installed... Is it a new rule now that Customer Service just not read messages at all?
  • by plover ( 150551 ) on Thursday November 05, 2015 @02:55PM (#50872653) Homepage Journal

    On your iPhone, go into Settings / General, select Profile, then look at the profiles that have been added. A stock iPhone has none. If you have an ISP who adds a cert that allows you to connect to their hotspots, you may see that here. If you have installed your company's MDM, perhaps a product like AirWatch, that will show up here. If you see something you don't recognize, that's when you need to do some research.

    Inside the profile you can view the certs it installed. A WiFi cert will list what it can do: be wary if it includes a proxy.

  • by zlives ( 2009072 ) on Thursday November 05, 2015 @02:56PM (#50872657)

    The technician misheard the customer, the customer said " i do NOT want to be ass fucked". the tech didn't hear the NOT.

    • by Anonymous Coward

      The customer said "I DO NOT want that." The technician heard "I DONUT want that." Donuts are fucking tasty and hell yes everyone wants a donut, so of course he installed it.

  • At what point was the technician handling his phone, and what was he doing with it?

    Because if I go in for you to add me to your network, and you start installing shit on my phone ... I'm going become unreasonable quite fast.

    I just can't quite figure out from the article how the technician came to be installing this in the first place; it was obviously in the middle of something else.

    Surely he didn't walk into a Sprint store and hand the technician his phone, did he?

    • Don't you have to enter an iTunes password every time you go to install an app on an iPhone?

      If so, then why would the user allow this app to be installed in the first place?

    • At what point was the technician handling his phone, and what was he doing with it?

      Because if I go in for you to add me to your network, and you start installing shit on my phone ... I'm going become unreasonable quite fast.

      I just can't quite figure out from the article how the technician came to be installing this in the first place; it was obviously in the middle of something else.

      Surely he didn't walk into a Sprint store and hand the technician his phone, did he?

      Every time I've bought a device from the network provider, I make them hand me the box, still shrink wrapped. I can insert the SIM, if it doesn't come with one, tyvm. They never hesitate to just give me the box. Sometimes they need to scan barcodes off the back, but that's about the extent of it. Of course, certain devices come with vendor spyware already installed at the factory.

      • I make them hand me the box, still shrink wrapped.

        Plenty of commercial places have the simple equipment and supplies needed to re-shrink wrap inventory. I'd never trust a 'wrapped box as factory-fresh.

        • I make them hand me the box, still shrink wrapped.

          Plenty of commercial places have the simple equipment and supplies needed to re-shrink wrap inventory. I'd never trust a 'wrapped box as factory-fresh.

          Yes but you can tell if it has been factory reset when you turn the iPhone on.

  • without prior notice or permission

    I'm pretty sure it says they can do that in your contract. You remember your contract right? The one you signed to get service? What do you mean nobody reads those? You didn't read the contract you signed???

    While I agree that pulling shenanigans like this is not something I want from the people who I hired to give me phone service, I'm willing to bet they are not acting outside the law.

    • That's OK, I have an EULA on my phone which says you will not install any software without directly getting written permission, or I will give you an epic smackdown right there in the store.

      I'm not acting outside the law either now.

      Sorry, but this is stalling software which give them remote control of your phone without consulting you.

      How's "computer fraud and abuse act" sound?

      • by Dunbal ( 464142 ) *
        The problem with your argument is that your EULA is imaginary, while their contract is real.
        • I had a friend who, when he bought software, paid with a check that had a note on the back saying that endorsing the check means a warranty of (IIRC) 100 hours mean time to failure. He always made it clear that the check said that, and never had a problem. Not that he had the money to sue anyone....

      • Actually, that's wrong. I work for a company that develops MDM software, and what you can do to a smartphone is incredibly limited, especially non-Samsung devices and iPhones.

        Firstly, the iPhone can never be touched or targeted directly by an MDM server, it can only relay information through apple's Push Notification Services servers.

        Secondly, Apple explicitly blocks any tool sets of access to contents of the device, including personal information. It is literally impossible to read that data on an iOS devi

        • Sixth, there is no means in any current MDM to enable or perform any type of screen sharing or access anything like cameras or other electronics.

          Bottom line, MDMs are quite limited in their ability to do any snooping of any user data. The worst that can happen is someone issuing a remote erase command or device lock command. Nothing more invasive can be done.

          How does TeamViewer's mobile app fit in with that? I'm guessing different because the user has to agree to some sort of pop-up?

          Just curious. I know they advertise some of that functionality, but I never got around to demoing it.

    • This is why I love my country's consumer protection laws. Bits in consumer contracts that are "unusual" are not going to stick unless you explicitly point them out AND have the consumer sign that you did point out exactly this passage that is unusual.

      And our judges tend to consider anything "unusual" that they're not used to. In other words ... well, you know how tech savvy the average judge is.

  • by Anonymous Coward

    So, how can I check my Sprint iPhone 6s for such software?

  • by Dredd13 ( 14750 ) <dredd@megacity.org> on Thursday November 05, 2015 @04:57PM (#50873457) Homepage

    I'm going to go ahead and throw up a red flag. I don't think this is a Sprint owned domain. I think it's meant to LOOK like one, but I don't think it IS one.

    $ dig +short sprint.net ns
    ns1-auth.sprintlink.net.
    ns2-auth.sprintlink.net.
    ns3-auth.sprintlink.net.
    $ dig +short sprint.com ns
    reston-ns1.telemail.net.
    ns2-auth.sprintlink.net.
    reston-ns3.telemail.net.
    reston-ns2.telemail.net.
    ns1-auth.sprintlink.net.
    ns3-auth.sprintlink.net.

    The places Sprint hosts their "well-known" domains looks remarkably like it's a legitimate place. "wabaw.net", however?

    $ dig +short wabaw.net ns
    ns6.domainmonger.com.
    ns5.domainmonger.com.
    ns7.domainmonger.com.
    ns8.domainmonger.com.

    I'm going to propose a theory that the WHOIS data shows Sprint so that - if someone gets caught and folks go looking for someone to vilify, Sprint is the unwitting victim. But - in reality - it's sitting in some domain-registration that nobody official at Sprint has ever heard of, and someone's been building a network of phones that they control via MDM.

    • You have a good point:

      $ host leon.webaw.net
      leon.webaw.net has address 62.99.250.53

      $ whois 62.99.250.53 ... snip...
      netname: Schneid-GmbH
      descr:
      descr: Schneid GmbH
      descr: Herbert Schneid
      descr: PIRKA
      descr: IPs statically assigned
      country: AT

      maxmind corroborates the information.

      So... Sprint are putting control of your phone into the hands of someone in Austria. Nice going, guys!

      • by Chmarr ( 18662 )

        Oh dammit. Ignore. I typo'd the host name :(

        • by Dredd13 ( 14750 )

          even worse. It's just a bunch of AWS servers....

          $ host leon.wabaw.net
          leon.wabaw.net is an alias for awseb-e-a-awsebloa-saeaoerx3v7z-1299207820.us-west-2.elb.amazonaws.com.
          awseb-e-a-awsebloa-saeaoerx3v7z-1299207820.us-west-2.elb.amazonaws.com has address 54.213.59.154
          awseb-e-a-awsebloa-saeaoerx3v7z-1299207820.us-west-2.elb.amazonaws.com has address 54.191.121.98

          Bets on if the account info for that AWS account is fake?

    • Then why have several sprint tech support personal been 'aware' of the software that is installed?

      Do you freak out when you see the domain names that Google uses for lots of stuff that in no way look like 'google' domains, but are for a fact Google domains? Trace route to www.google.com ... I think you'll lose your shit based on this post.

      Just because you don't understand the shitty logic they used to pick a domain name doesn't mean it was't them, or an outsourced service they use.

      • by Dredd13 ( 14750 )

        That's not what I said. But you've constructed a wonderful strawman for yourself to knock down.

        I said, let's recap:

        - The domain servers they're using are not their normal domain servers and look nothing like them
        - The domain registrar used for the MDM is not their normal registrar (and corporations don't generally have a bunch of parallel accounts for such things, they centralize)
        - The service isn't hosted in their copious capacity but in a pair of anonymous AWS instances

        As has been noted elsewhere in this

  • Sounds like buying your mobile device directly from the manufacturer, such as Apple, might be preferable to buying it from the service provider (albeit having to front the full cost of the device). I'll have to consider that if/when I upgrade from my 4S.
  • It doesn't matter whether it goes against Sprint's published policies - there is precisely nothing that you can viably do about this kind of situation these days thanks to arbitration clauses.

    You can't sue. You certainly can't start a class action suit based on all the customers this was done to. You can elect to go to arbitration over it, however if the arbitrator rules against you you're likely going to have to pay for all of Sprint's costs related to the arbitration - including whatever price tag they pu

Keep up the good work! But please don't ask me to help.

Working...