Carrier IQ: Your phone's secret recording device
12-02-2011, 06:53 AM
#1
Administrator
Thread Starter
Carrier IQ: Your phone's secret recording device
Saw this on CNN this morning:
http://money.cnn.com/2011/12/01/tech....htm?hpt=hp_c1
NEW YORK (CNNMoney) -- Carrier IQ is a piece of software installed on millions of mobile phones that logs everything their users do, from what websites they browse to what their text messages say.
No, it's not part of some great Orwellian plot; it's a diagnostic tool that carriers say plays a crucial role in helping them assess and troubleshoot their networks. But the recording app, which flew under the radar for years until security researchers drew attention to it recently, is setting off red-alert privacy and security alarms.
It's also spotlighting how little customers -- and, sometimes, the carriers and manufacturers themselves -- know about what goes on under the hood of their data-stuffed mobile devices.
Reports about Carrier IQ's hair-raisingly detailed tracking capabilities began swirling in the tech press several months ago and gained steam after Android developer Trevor Eckhart posted an analysis of the software's data logs.
But on Monday, Eckhart followed up with a 17-minute YouTube video showing how the software secretly runs on his HTC EVO 3D Android phone and logs every key press, every text, and the full URL of every website he visits. It recorded that data even from websites that use security encryption designed to prevent that kind of tracking.
Then word began spreading about just how ubiquitous Carrier IQ's software is. It's on an estimated 150 million mobile devices.
AT&T (T, Fortune 500) and Sprint (S, Fortune 500) confirmed to CNNMoney that handsets on their networks run Carrier IQ's software and transmit information from it back to them. T-Mobile, which was not immediately prepared to comment, also uses Carrier IQ to monitor devices on its network, researchers say.
Verizon Wireless (VZ, Fortune 500) says it doesn't use Carrier IQ's software. It also claims that it doesn't run anything similar, though Verizon's rivals all disputed that, insisting that modern networks can't operate without these kinds of diagnostic tools.
Researchers have found the software on multiple devices running Google's (GOOG, Fortune 500) Android operating system.
Apple (AAPL, Fortune 500) also confirmed Thursday to CNNMoney that the software is running on some of its mobile devices, but the company says it stopped supporting it in the latest version of iOS and will completely eliminate Carrier IQ from all iPhones and iPads in an upcoming software update.
What the logging tool does: Carrier IQ -- and several of its major customers -- say its software is being misunderstood.
Carrier IQ says the core purpose of its tool is to uncover broad trends across a network. Its software can help carriers find out where calls are dropping and why, and zero in on device glitches. If a specific handset line from HTC, say, has a battery life problem, Carrier IQ's software will help surface the problem.
Sprint, for example, said it uses Carrier IQ to root out network problems.
"We collect enough information to understand the customer experience with devices on our network and how to address any connection problems," Sprint said in a prepared statement. "We do not and cannot look at the contents of messages, photos, videos, etc., using this tool. The information collected is not sold and we don't provide a direct feed of this data to anyone outside of Sprint."
But as Eckhart's video and other security investigations have illustrated, Carrier IQ is logging a shockingly extensive cache of data.
In response, Carrier IQ issued a statement saying that it doesn't "record," meaning it doesn't actually transmit to the carriers or anyone else, most of the information it stores on phones.
It's a technical but meaningful distinction. Sprint and AT&T said that they do not and cannot collect the kinds of detailed information that the Carrier IQ software tracks on the phone.
Independent security analyst Dan Rosenberg has studied Carrier IQ's software and several wireless providers' user of it. As he puts it: "People need to recognize that there's a big difference between recording events like keystrokes ... and actually collecting, storing, and transmitting this data to carriers, which doesn't happen."
He added: "After reverse engineering Carrier IQ myself, I have seen no evidence that they are collecting anything more than what they've publicly claimed: anonymized metrics data."
Still, he didn't let Carrier IQ off the hook completely. There are significant privacy concerns -- which both Carrier IQ and its customers seem to have overlooked -- associated with having a big chunk of personal data stashed on your phone.
Rosenberg called that software design approach "pretty bad."
Christopher Soghoian, a cyberprivacy researcher and fellow at human rights organization Open Society, echoed that view.
"Carrier IQ doesn't seem as nefarious as incompetent, but that may not be enough to allay the legitimate concerns of the public," he said. "There would be huge issues if this data were transmitted to a carrier, but even if not, it presents huge concerns. This would be a gold mine for a hacker."
Soghoian thinks that Carrier IQ has far more access and stores much more information on phones than it should.
Yet users are essentially powerless to stop it. The software is so buried in the device's operating system that the average consumer can't possibly delete it, and doing so would void the phone's warranty.
"It's not reviewed by Google's security team, it's not audited, it may not get regular security updates, and you really don't want one app to have all that information," Soghoian noted.
Google insisted that Carrier IQ is installed at the manufacturer and carrier level. A company spokesman said it had no involvement with the software's appearance on its Android devices.
One thing is clear: This mess isn't over. What began as a wonky technical issue is becoming the subject of widespread public scrutiny.
Senator Al Franken, a Democrat from Minnesota, fired off a letter to Carrier IQ on Thursday demanding answers. Franken said he is "very concerned" by reports that the software "is logging and may be transmitting extraordinarily sensitive information."
He's far from the only one with those concerns. To top of page
If your phone is rooted, can you remove this software? And if you remove it....will it mess up anything on the network?
http://money.cnn.com/2011/12/01/tech....htm?hpt=hp_c1
NEW YORK (CNNMoney) -- Carrier IQ is a piece of software installed on millions of mobile phones that logs everything their users do, from what websites they browse to what their text messages say.
No, it's not part of some great Orwellian plot; it's a diagnostic tool that carriers say plays a crucial role in helping them assess and troubleshoot their networks. But the recording app, which flew under the radar for years until security researchers drew attention to it recently, is setting off red-alert privacy and security alarms.
It's also spotlighting how little customers -- and, sometimes, the carriers and manufacturers themselves -- know about what goes on under the hood of their data-stuffed mobile devices.
Reports about Carrier IQ's hair-raisingly detailed tracking capabilities began swirling in the tech press several months ago and gained steam after Android developer Trevor Eckhart posted an analysis of the software's data logs.
But on Monday, Eckhart followed up with a 17-minute YouTube video showing how the software secretly runs on his HTC EVO 3D Android phone and logs every key press, every text, and the full URL of every website he visits. It recorded that data even from websites that use security encryption designed to prevent that kind of tracking.
Then word began spreading about just how ubiquitous Carrier IQ's software is. It's on an estimated 150 million mobile devices.
AT&T (T, Fortune 500) and Sprint (S, Fortune 500) confirmed to CNNMoney that handsets on their networks run Carrier IQ's software and transmit information from it back to them. T-Mobile, which was not immediately prepared to comment, also uses Carrier IQ to monitor devices on its network, researchers say.
Verizon Wireless (VZ, Fortune 500) says it doesn't use Carrier IQ's software. It also claims that it doesn't run anything similar, though Verizon's rivals all disputed that, insisting that modern networks can't operate without these kinds of diagnostic tools.
Researchers have found the software on multiple devices running Google's (GOOG, Fortune 500) Android operating system.
Apple (AAPL, Fortune 500) also confirmed Thursday to CNNMoney that the software is running on some of its mobile devices, but the company says it stopped supporting it in the latest version of iOS and will completely eliminate Carrier IQ from all iPhones and iPads in an upcoming software update.
What the logging tool does: Carrier IQ -- and several of its major customers -- say its software is being misunderstood.
Carrier IQ says the core purpose of its tool is to uncover broad trends across a network. Its software can help carriers find out where calls are dropping and why, and zero in on device glitches. If a specific handset line from HTC, say, has a battery life problem, Carrier IQ's software will help surface the problem.
Sprint, for example, said it uses Carrier IQ to root out network problems.
"We collect enough information to understand the customer experience with devices on our network and how to address any connection problems," Sprint said in a prepared statement. "We do not and cannot look at the contents of messages, photos, videos, etc., using this tool. The information collected is not sold and we don't provide a direct feed of this data to anyone outside of Sprint."
But as Eckhart's video and other security investigations have illustrated, Carrier IQ is logging a shockingly extensive cache of data.
In response, Carrier IQ issued a statement saying that it doesn't "record," meaning it doesn't actually transmit to the carriers or anyone else, most of the information it stores on phones.
It's a technical but meaningful distinction. Sprint and AT&T said that they do not and cannot collect the kinds of detailed information that the Carrier IQ software tracks on the phone.
Independent security analyst Dan Rosenberg has studied Carrier IQ's software and several wireless providers' user of it. As he puts it: "People need to recognize that there's a big difference between recording events like keystrokes ... and actually collecting, storing, and transmitting this data to carriers, which doesn't happen."
He added: "After reverse engineering Carrier IQ myself, I have seen no evidence that they are collecting anything more than what they've publicly claimed: anonymized metrics data."
Still, he didn't let Carrier IQ off the hook completely. There are significant privacy concerns -- which both Carrier IQ and its customers seem to have overlooked -- associated with having a big chunk of personal data stashed on your phone.
Rosenberg called that software design approach "pretty bad."
Christopher Soghoian, a cyberprivacy researcher and fellow at human rights organization Open Society, echoed that view.
"Carrier IQ doesn't seem as nefarious as incompetent, but that may not be enough to allay the legitimate concerns of the public," he said. "There would be huge issues if this data were transmitted to a carrier, but even if not, it presents huge concerns. This would be a gold mine for a hacker."
Soghoian thinks that Carrier IQ has far more access and stores much more information on phones than it should.
Yet users are essentially powerless to stop it. The software is so buried in the device's operating system that the average consumer can't possibly delete it, and doing so would void the phone's warranty.
"It's not reviewed by Google's security team, it's not audited, it may not get regular security updates, and you really don't want one app to have all that information," Soghoian noted.
Google insisted that Carrier IQ is installed at the manufacturer and carrier level. A company spokesman said it had no involvement with the software's appearance on its Android devices.
One thing is clear: This mess isn't over. What began as a wonky technical issue is becoming the subject of widespread public scrutiny.
Senator Al Franken, a Democrat from Minnesota, fired off a letter to Carrier IQ on Thursday demanding answers. Franken said he is "very concerned" by reports that the software "is logging and may be transmitting extraordinarily sensitive information."
He's far from the only one with those concerns. To top of page
If your phone is rooted, can you remove this software? And if you remove it....will it mess up anything on the network?
12-02-2011, 07:07 AM
#2
Moderator
Even I don't have the technical expertise required to remove it. Its fragments of code scattered across the entire kernel. Its compiled into the kernel and runs undetected as a root kit. The logging is so deeply integrated that by removing files which contain CIQ, your device would not boot. It would take weeks of programming to remove it, then you compile a new kernel and install it on your device... then your apps would start failing.... yep, its in your email, browser, and other parts... its called a root kit because it runs undetected and causes undesired activity.
12-02-2011, 10:07 AM
#3
Administrator
Join Date: Oct 2002
Location: ɯooɹpǝq ɹnoʎ
Posts: 13,943
Likes: 0
Received 0 Likes
on
0 Posts
Vehicle: ǝdnoɔ sısǝuǝƃ
it's horrible from a security standpoint. the fact that people are able to identify that it's there and read it means that applications can be created (or code hidden within applications) to read and transmit the data within Carrier IQ. That is disturbing. Passwords, Credit card info, anything you want can be out there.
Imagine if Angry Birds had a piece of code inserted to read Carrier IQ and broadcast it somewhere?
Worldwide fail.
Imagine if Angry Birds had a piece of code inserted to read Carrier IQ and broadcast it somewhere?
Worldwide fail.
12-02-2011, 10:15 AM
#4
Moderator
That's what TrevE did. He made an application that requires no special permissions except internet access. Its able to read this data and transmit. Its mostly on HTC devices that the holes exist. Search for XDA articles regarding TrevE
