Slashdot Mirror
CarrierIQ: Most Phones Ship With "Rootkit"
First time accepted submitter Kompressor writes "According to a developer on the XDA forums, TrevE, many Android, Nokia, and BlackBerry smartphones have software called Carrier IQ that allows your carrier full access into your handset, including keylogging, which apps have been run, URLs that have been loaded in the browser, etc."
Since this was submitted, a few more details have come to light. The software was designed to give carriers useful feedback on aggregate usage patterns, but the software runs as root and the privacy implications are pretty severe.
It doesn't matter because Android is open.
That's all that matters.
With a walled garden, Apple keeps the carriers out too.
Nice.
Buy a phone you can root and put CyanogenMod on it. It works great!
I assumed people allready knew this. I mean phone companies know who, where, when, and for how long you call anyone, you would have to be pretty naive to belive that they arent tracking your web useage just as closely.
How to identify and remove this application would be nice...
This is why I'm not buying a "smart" phone until until they release one with a fully open software stack (excluding the little bit of firmware that controls the cellular modem.)
...I need to root my phone and install a mod onto it.
Here's hoping there's a stable mod for the Incredible 2, because last time I looked they were all pretty flakey.
What do I know, I'm just an idiot, right?
An open terminal with great reviews
I bet the bandwidth it uses to send this data back to the carrier is deducted from our monthly cap too...
Basically your carrier has a way to precisely know what the fuck you did and your phone died. Instead of playing the guessing game at customer support. It even has an opt-out option.
http://www.xda-developers.com/wp-content/uploads/2011/11/CIQoverview.png?139d23
How is this different than the information any new software collects to improve your experience, providing you with an opt-in/out option as well?
Why is this bad again?
that should get asked about the article
does cyanogenmod mitigate this threat? if not how about whispercore? could whisper systems in the future detect and correct this
rootkit?
can rootkit detection systems presently available in linux detect and successfully help a hacker to remove the rootkit?
Good people go to bed earlier.
How much battery drain does this app cause? Is this un-killable, always on, always logging service part of the reason we see inconsistent battery drain across a large group of devices?
Twit, please link to the articles that reveal apple has key-loggers on the iPhone or get off your "I'm kewl and a free-thinker because I hate Apple" pedestal and make comments you can actually back up.
This should surprise no one. Phone carriers are consumer hostile and one of android's selling points is that is more "carrier friendly" than the iphone.
Apple's biggest contribution to the mobile device market is and was wrestling control away from carriers. I recognized this from day one and I've enjoyed my iphone since.
I will trust Apple over any mobile phone carrier. Period.
When I rooted my Vibrant and stripped out CIQ, the performance went through the roof. Logging every single thing a user does takes a toll apparently.
The soylentnews experiment has been a dismal failure.
how "the land of the free" also means that the companies are free to rape your privacy. Horray for the ultimate freedom. Nothing but hard work to kepp up to date on who is abusing you.
Those who can, do. It has always been true with technology. As we get older and see more of the effects, we are more aware, more affected. Privacy has been shrinking along with the open terrain since the Garden of Eden (metaphorically speaking). In 100 years, the privacy issues will extend into our subconscious minds. This seems inevitable as much as it seems disturbing. I guess that is why we grow old and die.
Does anyone have a list of the phones/carriers that implement this?
"many Android, Nokia, and BlackBerry smartphones" doesn't really help us.
Soooo.... is data sent to them by this app exempt from your data cap and data usage rates? if not, perhaps someone can start a class action and make them bleed.
This sounds very similar to the Microsoft CEIP (Customer Experience Improvement) data collection that is strictly opt-in. The difference? Nobody gets to opt-in (or out) of this smart phone based one. But it is probably for the same intent - figure out what features get used, which don't get used, which may be confusing, etc. It would be nice if Motorola would use this to figure out how many people replace their Blur launcher with something else. Maybe they would stop development on Blur if they knew. Now, this should be opt-in. End of story. The purpose probably isn't nefarious at all. But it should be opt-in.
In typical slashdot style, I'm seeing a lot of In Soviet Russia jokes, and a lot of apple vs android comments. Why is nobody asking the real questions?
1.How can we as users detect if our phones are running this software?
2.Does a completely custom rom negate this? (cyanogen, etc)
3.Is it possible to remove or deactivate it on a rooted phone with stock rom?
And so on. Generally speaking, we should be asking the how's and why's on this. Not talking about setting carrier CEOs on fire.
1) How can you authoritatively determine the android phone you are about to buy doesn't have Carrier IQ installed, BEFORE you buy it?
2) If you already have an android phone, (how) can you check for and uninstall Carrier IQ?
ever since I saw that this application was granted literally *every* permission in the android SDK, I made a point of killing the process after every reboot :P
...namely "In the United States". I -- like most people around here -- buy my phones from consumer electronics retailers, not mobile phone carriers. I guess you don't have that luxury.
What are the "pros" to pounding yourself in the crotch with a sledgehammer?
Especially coming from someone whose nick is "larry bagina".
Set your phasers on "funky"!
Carrier IQ is also present on the Iphone.
-nt-
I8-D
Tons of jobs on offer at CarrierIQ
Android is clearly the target ... Integrate our library onto new Android releases and OEM hardware platforms."
"Design, implement, extend and port our Java and C/C++ components of our mobile software technology for Android.
"The embedded device agents are currently shipped on more than 75 million devices across numerous device manufacturers and models. The solutions can be deployed across multiple wireless technologies such as CDMA2000, GSM, UMTS/WCDMA, WiFi, and device types such as feature phones, smart phones, PDAs, data cards."
My phone company sends me the rootkit data. It is called an itemized phone bill.
I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
Jesus, mods, way to fall for a troll. Parent should be (Score:-5, Lying). There is no suggestion in any of the articles on this subject that the iPhone has this software, other than a CarrierIQ job requirement listing iPhone experience as optional...
Stallman doesn't sound so crazy now...
Knowledge is power; knowledge shared is power lost.
replying to undo mod. I fell for it. I'm a little trigger happy handing out the mod points.
No?
Then it's not an agreement, is it.
Here you go jackass. http://www.geek.com/articles/mobile/how-much-of-your-phone-is-yours-20111115/
If you weren't a dumbass, you could have clicked some of the links in TFA and found this out yourself.
"CarrierIQ is confirmed to be found on the iPhone or on feature phones, but Trevor has found RIM’s Blackberry handsets and several Nokia devices with CarrierIQ on board as well." This would be so poorly worded otherwise, that it is hard to believe that the author didn't simply mean to write "not confirmed". That, and all of the articles by Trevor (and those in the scene) make NO mention at all about the iPhone.
From what I have read, and baring in mind the amount of information is limited, but IOS is indeed capable of carrying the carrieriq software and there are versions of the iphone out there with it already installed OR at least that is the suggestion from this particular site:
http://www.geek.com/articles/mobile/how-much-of-your-phone-is-yours-20111115/
I dont have an iphone, so i dont care either way personally.
If they did, Apple would probably sue them for infringement.
I am something of a self-confessed google fan-boy - though the lustre of theirs has been very much tarnished by things they have done lately, such as keeping 3.x out of AOSP - amongst many other things. Generally my love of google is pretty low at the moment.
But, I personally dont really hold google responsible for any of this. They make an OS. Did microsoft get blamed when sony had that drm root-kit flooding cd's?
Or would you blame ubuntu if a fork of ubuntu carried a similar piece of software? Even if it were an ubuntu sanctioned derivative work?
Ultimately though, what control would google have over people doing this? probably not alot. The devices makers make the roms and (probably) customise them for the carriers, the fact that an app is capable of doing such a thing is unsurprising given it operates at the root level and i doubt there would be much from the android side you could really do to stop it from occurring.
However, given its in the open now, I wonder what the legal (i.e. government) response might be, It could have serious implications to numerous compliance-type privacy issues. I suspect we'll probably see a government probe coming along sometime soon personally.
A walled garden would not have prevented this.
How do you you figure that?
The case in point is obviously Apple. They do not do an end-run around the providers as you advocate for. Yet there is no such software on any iPhone.
The carriers will screw with whoever they can. You have to stand up to them; Apple did, and Google never even tried.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
This is one of the many reasons why I'll never give up my good old trusty 2G phone. No gizmos or fluff - it makes and receives calls and text messages. That's all I need. Only way I'll get rid of it is if you rip it out of my hands after I die. :)
While Mozillas Boot to Gecko project may be the answer to this although will the phone network companies allow access to their network if you have B2G installed?
https://wiki.mozilla.org/B2G
I'd call that a feature.
A decent tablet/handheld I can control that doesn't require a tap directly into my bank account and personal information?
Sounds like what Palm OS 5 was promising.
Google hasn't (until recently when it purchased Motorola) really had much skin in the game. Do the Nexus phones have this software? Blaming Google is like blaming MSFT for the malware Dell/HP/etc. put on consumer devices.
Check out my lame java blog at www.javachopshop.com
Yet there is no such software on any iPhone.
Prove it.
And since I'm not wholly unreasonable and know the logical problems of proving a negative (as opposed to you, who seems to have no problem with making factually non-falsifiable statements), I'm sure we'll all be happy to take your word with a notarized deposition from all of the board of directors of Apple, stating that there is no such software on any iPhone, and that they will refund the full original purchase price of any iPhone with such software, as well as tender their own resignations as well as those of every executive in the company.
Also, that if that policy changes, every iPhone that comes with such software after the fact will have this fact displayed in a big, gaudy, shiny red-foil sticker on the box.
Umm, hello? Can you or can you not buy an iPhone directly from Apple? End-run around carriers achieved.
Prove Android is free of spyware first. Just because you get to see the source code doesn't mean it doesn't exist. So go head over to Mountain View to sign up Google's board...
Um, I hate to point it out, but what you just said (prove yours before I prove mine) tells me that you can't prove it, so you're just drawing attention away from it.
All the world's a CPU, and all the men and women merely AI agents
No, I'm just ridiculing the stupidity of your comment.
But I hadn't commented until just then.... Did you even bother to see who replied to you? :P
CAN you prove that the iPhone doesn't have spyware on it? I agree that Android probably does.
All the world's a CPU, and all the men and women merely AI agents
I never said android didn't. GP is the one making claims, not me. In fact, the presence of this story is evidence that Android does. So why are you even posting, for that matter?
Jobs is dead. Get your nose out of his ass already and maybe your knee will stop jerking like that.
the software runs as root and the privacy implications are pretty severe.
Jesus. Next I bet the carriers will start directing all of their customers cellular voice, data, and SMS traffic through their servers, and maybe even their "strategic partners'"' servers as well. Just think of the potential privacy implications of that!
https://www.eff.org/https-everywhere
Wow, impressive argument!
You essentially nullify your own statement and then proceed to insult with vulgarities...
Impressive!
My sincerest apologies... I thought I had verified...
s/your/the/
Personally I doubt that either iOS nor "core Android" (that is to say, what Google releases) has anything truly close to actual, nefarious, spyware. However once Android is turned over to the carriers....
arghh... s/either/neither/ ...oh wait, now I'm into double-negative territory...
s/doubt/believe/
I nullify what statement? That SuperKendall is full of shit?
I'd ask how I did that, but I think getting that much of a glimpse of what's rattling on inside your head there would be like looking on the face of Cthulu.
Are you functionally illiterate or did mommy just forget to give you your medicine?
And I repeat, "Impressive!"
Oh aye, the core Android likely doesn't, but as far as the stuff the carriers sell us... I wouldn't put it past them.
All the world's a CPU, and all the men and women merely AI agents
Ad hominem: the sophisticated way to say "I lose".
Welcome to the Panopticon. Used to be a prison, now it's your home.
"Yet there is no such software on any iPhone."
What makes you think this?
This and other malware issues (Google deletes them from app store regularly) make Android just seem like Win 98 to me. I was trying to buy my kids an Android tablet last Christmas (none ready for prime time), and now will likely never own an Android product. Getting excited about Windows Phone 7 recently.
How do you you figure that?
The case in point is obviously Apple. They do not do an end-run around the providers as you advocate for. Yet there is no such software on any iPhone.
How do you know?
BS
I still remember the rants&shouts until a few years ago, here on ./ too, if a crappily coded dll on any fabulous Windows 98 or XP would ever dare send a single ping to any IP address anywhere in the sphere of interest of Microsoft.
Hordes of people spent entire nights capturing and analyzing each and every bit coming out of their (cabled, then) network interface.
Today everybody calls home or happily violates any far idea of private life still left to connected human beings.
Apple, Google, Facebook: the list can go on forever. Calling home has even become a separate core business for the malware sector. Entire businesses and trillions of dollars rotate around not only a home address (as in the past) but each and every single bit of any private life.
Is that done to improve life (and make it very superficial and foreseeable?) to connect people? Good excuses, but no. It's for the money. Purely and simply for the money. We know you go often to the toilette? Here you go with an ad about our new toilette paper: earning one cent/click a person means huge lots of money.
Only one party hasn't changed policies, compared to years ago. My fingers tremble while I write this: Microsoft.
I trust Microsoft is not betraying my right to privacy.
How low have we gone...
The old internet way used to be silence, but alas, progress!
I have a Samsung Galaxy SII with the current Australian firmware. Based on the information at http://forum.xda-developers.com/showpost.php?p=11763089 CIQ is not installed. I don't know if the standard Samsung firmware as supplied is the same, but it's one of the things I like about my carrier, Virgin. Their phones really are. With Optus or Telstra YMMV.
If my call is important, why am I talking to a recording?
Prove it.
Obviously you can't truly prove a negative but...
I've run the phone at home for a few days on end with a proxy recording all traffic, there were no surprises.
There are other people FAR more obsessive though that would have found such software if it existed - either people like you just DYING to prove something bad about Apple, never mind the jailbreaking guys who have been over the iOS libraries with a fine-tooth comb and found nothing also.
Give it up man, it's as close to proved as it is possible to be. You just look like you have a terrible case of sour grapes going on with your silly denial.
Meanwhile in the other corner there's actual software on Android ACTUALLY creating a real security risk.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Um, I hate to point it out, but what you just said (prove yours before I prove mine) tells me that you can't prove it
Isn't insisting someone prove a negative basically just a round-about way to say you are an idiot?
The person you were responding to was cleverly pointing this out, basically presenting a construct I will call an "Idiot Motel". Idiots such as yourself follow in (rhetorically speaking) but can't back out once they hug the sticky tar-baby of illogic inside.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Endless surveillance, yet another violation of our rights. The gov’t constantly violates our rights.
They violate the 1st Amendment by caging protesters and banning books like “America Deceived II”.
They violate the 4th and 5th Amendment by allowing TSA to grope you.
They violate the entire Constitution by starting undeclared wars.
Impeach Obama, support Ron Paul.
Last link of “America Deceived II” before it is completely banned:
http://www.amazon.com/America-Deceived-II-Possession-interrogation/dp/1450257437
Don't be so sure. From here:
When CarrierIQ was dubbed one of the Fierce 15, they were working with seven of the top ten major OEM’s, as well as Verizon Wireless, AT&T, and Sprint. Currently, Trevor has found CarrierIQ in a number of Sprint phones, including HTC and Samsung Android devices. CarrierIQ is confirmed to be found on the iPhone or on feature phones, but Trevor has found RIM’s Blackberry handsets and several Nokia devices with CarrierIQ on board as well. CarrierIQ can be seen on your Android handset by installing an app from the Market called AnyCut. From here you will notice IQRD and IQAgent, which are both parts of the CarrierIQ system on the device.
Yes the Nokia N900 has a pile of closed-source packages. But if it WAS running this CarrierIQ crap (which it isn't because its a product direct from Nokia and has never been tainted by any carrier) I could just open up an xterm and type "apt-get remove carrieriq" and get rid of it.
Just install CyanogenMod...
Fork the Droid.
Why I use IPHONE!
Depends on how you interpret it. Perhaps it's loaded up somewhere hidden and encrypted, and then quickly loads into memory in a hidden ramdisk or something similar without any identifiable files otherwise on the filesystem.
I've had my pre-release copy of Gingerbread/2.3 on an Epic 4G disabled remotely (over air) by Sprint because of CarrierIQ. Was running a stock leaked copy of 2.3, and after about a week the phone modem would become disabled (forced to always be in airplane mode). I'd have to reflash the modem portion of the ROM to make the phone usable again. After doing this 3 or 4 times I found a ROM where Carrier IQ was removed. I have not had to reflash the phone modem since (same version of leaked ROM and modem btw) This is proof in my mind Sprint uses this rootkit for disabling phones. THANK GOD they've found this garbage software and were able to remove it. My question is, do the "google" Nexus phones have this junk on them out of the box?
I have a Sprint Epic and the dev community for it has been removing CIQ for every release. Why is this just now becoming a public issue?
I do security
As a AnonCoward I can tell you I'd be breaking the NDA if I had a name.
The last project I worked on was a data transfer bridge of between the Hadoop cluster to share information between the code name "Caramel" project (aka Iphone) and AT&T.
The process involves "Tasking" the system to be active or passive during an update an incoming packet across SMS channel 0 (your mobile provide) provides the access commands for tasking...
The under the guise of providing better coverage CarrierIQ has a Dictionary of approximately 200 odd commands to send. The packets record radio signal strength, length of conversations, call's dropped, gps locations, as well as any and all devices.
The incoming collection stream allows the map and reduce to effectively identify your relationships (same car, same cell towers switching at the same time, etc.)
If you stalk one person you are a stalker, if you stalk 100's you are a data aggregation and marketing demographic identifier.
Monetization is not the goal here, and would likely lead to more headaches/concerns over the management of said money. I think we want to avoid this angle as much as possible Funny christmas gifts. Hence the post referring more towards physical hardware donation/help
cyanogenmod is free. runs well on my G1. As opposed to what it came with.