Slashdot Mirror

← Back to Stories (view on slashdot.org)

CarrierIQ: Most Phones Ship With "Rootkit"

Posted by Unknown on from the your-keystrokes-may-be-monitored-for-qa-purposes dept.

First time accepted submitter Kompressor writes "According to a developer on the XDA forums, TrevE, many Android, Nokia, and BlackBerry smartphones have software called Carrier IQ that allows your carrier full access into your handset, including keylogging, which apps have been run, URLs that have been loaded in the browser, etc." Since this was submitted, a few more details have come to light. The software was designed to give carriers useful feedback on aggregate usage patterns, but the software runs as root and the privacy implications are pretty severe.

28 of 447 comments (clear)

  1. but but but... Apple by Anonymous Coward · · Score: 5, Insightful

    With a walled garden, Apple keeps the carriers out too.

    1. Re:but but but... Apple by Anonymous Coward · · Score: 1, Insightful

      oh boy you are so naive and wrong about that

    2. Re:but but but... Apple by Pieroxy · · Score: 3, Insightful

      With a walled garden, Apple keeps the carriers out too.

      Yes, walled gardens have pros and cons. This is definitely a pro in my book.

      --
      Write boring code, not shiny code!
    3. Re:but but but... Apple by Tr3vin · · Score: 2, Insightful

      Unless, of course, those walls have security cameras mounted on them.

    4. Re:but but but... Apple by sribe · · Score: 4, Insightful

      ...but that's acceptable since you're getting the phone at a huge discount.

      I don't even believe that. As long as you continue to pay your contract, you should be able to unlock the phone.

    5. Re:but but but... Apple by pancake_lover · · Score: 1, Insightful

      [citation needed]

      --
      Homer no function beer well without.
    6. Re:but but but... Apple by hawguy · · Score: 3, Insightful

      Care to explain how it doesn't keep the carriers out of the phone? Last I checked, and yes employing traffic monitoring is standard on my network, there was no remote access nor capabilities to do so.

      How did you check when you have no access to the IOS source code and no idea what it's really doing? Would you really know it if AT&T had some code buried in the kernel that sends your tracking data in some GSM control messages that aren't accessible in user-land on the phone? Making a phone work with a new carrier is more than just slapping a new radio in it -- there's software involved as well.

    7. Re:but but but... Apple by LordLimecat · · Score: 5, Insightful

      Article is a load of crap, they give no details on how they know its there. They show screenshots of 2 android phones with visible GUIs which show CIQ, and then claim its on iPhone and Blackberry as well. Sorry, Ive dug through all the servicebooks on several blackberries (8250, 9600, 7200) and Ive never seen a CIQ service book.

      And as for this statement...

      According to TrevE, the software is installed as a rootkit software in the RAM of devices where it resides. This software basically is completely hidden from view and in it virtually invisible,

      Someone doesnt understand the volatile nature of RAM, or is terrible at communicating. Rootkits dont reside in RAM, because then they would be removable with a battery removal. As for "completely hidden", why then does he have screenshots of a CIQ GUI where theres a "disable CIQ" checkbox?

      The credibility factor of this story is in the negatives, especially when they really dont explain what their proof is and they have one guy on a forum claiming this-- its not even a researcher with a known real name. Who says this isnt a massive troll?

    8. Re:but but but... Apple by kiwimate · · Score: 3, Insightful

      Disclaimer: I don't know what Baloroth's opinions in general are, so this isn't necessarily aimed at you. And I hope this doesn't sound too snide.

      That said, this is where I see a double standard in Slashdot from time to time. Go back to stories about broadcasting SSIDs and setting up computers and so forth. Most Slashdotters tend to say it is on the part of the consumer to understand, read manuals, etc. Setting up encryption, for example - the prevailing opinion on here is that that that is just part of the modern world in which we live, and if consumers can't be bothered to read and understand, then they get what they deserve.

      I think that's a pretty cavalier and smug attitude. Beyond that, however, if the same attitude doesn't work both ways, then I'm not terribly sympathetic. I don't understand all the legalese when I sign a mortgage, say...so I make sure I ask someone. And if I don't understand, I don't sign until I do. (And it's been pretty amazing. Example a - watching the glib sales girl who breezily said "read everything, take your time" and then got visibly cooler in her attitude when I proceeded to do just that. Example b - the Wells Fargo reps who responded "umm, we don't know" when I asked them what a particular phrase in their mortgage paperwork meant, and didn't think it was a problem to say "but it's standard language, so it's okay to sign anyway".)

    9. Re:but but but... Apple by The+Moof · · Score: 5, Insightful

      They are not legally binding in sane jurisdictions.

      That, right there, is the catch. If you're in the US, you're not in a sane jurisdiction. Have you seen some of the egregious things they've been putting in EULAs these days that are actually being held up in court?

  2. Cyanogen by Tsingi · · Score: 4, Insightful

    Nice.

    Buy a phone you can root and put CyanogenMod on it. It works great!

  3. Re:Doesn't Matter by Anonymous Coward · · Score: 5, Insightful

    In open source, the user can do whatever he or she wants with the software.
    In proprietary software, it's the other way around.

  4. Re:Doesn't Matter by WorBlux · · Score: 5, Insightful

    But many of the drivers and first stage bootloaders aren't

  5. "Smart" phones are a dumb buy. by WorBlux · · Score: 1, Insightful

    This is why I'm not buying a "smart" phone until until they release one with a fully open software stack (excluding the little bit of firmware that controls the cellular modem.)

  6. Re:Doesn't Matter by ByOhTek · · Score: 5, Insightful

    I think the GPs point is that, in this case, the latter can also be true for open source software.

    --
    Self proclaimed typo king, and inventor of the bear destroying coffee table (patent not pending).
  7. Re:Troll this guy down to where he belongs. by Anonymous Coward · · Score: 1, Insightful

    Absence of evidence != Evidence of absence... Anyone even vaguely familiar with scientific principles (or information security) should know this.

  8. Re:Doesn't Matter by Bert64 · · Score: 3, Insightful

    But the point is that an open version is available, and thanks to third party mods like cyanogen if you don't like the version shipped with the phone you can replace it...

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  9. Re:list? by Anonymous Coward · · Score: 4, Insightful

    I can only speak for my Employer... BlackBerry: 0
    It's a very misleading article. Yes it shows that a "root kit" install has appeared on an Android device, but it is clear that the author has no idea about the security restrictions applicable to BB devices. Want to block your Carrier's Application? Simply go to Security Options -> Advanced Security Options -> Certificates. Find your Carrier certs and revoke them. It won't block your phone calls, or data connections, but any app which your carrier has installed to your device with a Service Book will be prevented from running.
    Oh, and you can also see exactly what modules are stored on your device under the Options->Applications listings. I seriously doubt you will ever find this stuff in there.

  10. Re:Doesn't Matter by marcosdumay · · Score: 4, Insightful

    Or maybe his point was that, if Android was really open such things would be easy to fix.

    --
    Rethinking email
  11. A troll, by any other name would smell as awful... by jeffmeden · · Score: 3, Insightful

    Jesus, mods, way to fall for a troll. Parent should be (Score:-5, Lying). There is no suggestion in any of the articles on this subject that the iPhone has this software, other than a CarrierIQ job requirement listing iPhone experience as optional...

  12. Re:Really? by gstrickler · · Score: 3, Insightful

    There is a HUGE difference between knowing who you call or what websites you visit (available from network info) and knowing which apps you're using or monitoring your key strokes. The latter is none of their business, and key logging can allow them to access your passwords. That's completely inappropriate and probably a crime.

    --
    make imaginary.friends COUNT=100 VISIBLE=false
  13. Re:Doesn't Matter by Tharsman · · Score: 1, Insightful

    I'll tell my grandma to go do that right away! She is always paranoid about her privacy, I'll tell her all she needs to do is get cyanogen and replace her OS!

  14. Re:Doesn't Matter by Runaway1956 · · Score: 4, Insightful

    What Marcos said. Android is not "open source". It's "kinda sorta open to downstream proprietors, but not to end users", which is not open source at all.

    I'm one who likes a lot of what Google does, but I'm no blind fanboi. Google dropped the ball when they permitted downstream customers to close their source. And, that's why I'm using a "dumb phone"*, with no plans to upgrade. I'm not about to pay the phone company hundreds of dollars, PLUS an exorbitant contract fee, so that they can spy on me.

    * It should be noted that even old "dumb phones" are pretty easy to spy on, albeit to a lesser extent than is exposed in this and other recent articles.

    --
    "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
  15. Re:Doesn't Matter by zill · · Score: 5, Insightful

    No, you cannot replace the first stage bootloader and the baseband, so they will forever remain proprietary. There is no way to have a working Android phone without running proprietary code unfortunately.

    You can, however, get Android running without relying on proprietary code. It just won't work as a phone unfortunately.

  16. Re:2 Questions by dukerobillard · · Score: 1, Insightful

    1) Don't buy your phone from a Carrier. I bought my Nexus One from Google. I bought my previous (non-smart) phone from some guy on Ebay.

  17. Re:Doesn't Matter by Drakino · · Score: 4, Insightful

    Only parts of Android are open source. Other parts, including key infrastructure pieces and the majority of apps people use that ship on the devices are closed.

    And open source here is a license that doesn't require Google to disclose the source when shipping, leading to every Android Honeycomb tablet that shipped this year being a closed platform until this week.

    Google has severely muddied the meaning of open and open source compared to what we are used to from the GPL and Linux worlds.

    Never let your hatred of Apple, Microsoft or whoever to cloud your judgement of the companies you do cling to. Google's "open" message is eerily similar to FUD messages Microsoft was spreading in the 90s when it came to Java and "open computing". The quicker we hold these companies accountable, the quicker it improves. Getting stuck in fanboy wars and putting on the blinders helps no one.

  18. Re:Doesn't Matter by adolf · · Score: 4, Insightful

    There is no spoon.

    --
    Kid-proof tablet..
  19. Re:Doesn't Matter by nurb432 · · Score: 3, Insightful

    Google dropped the ball when they permitted downstream customers to close their source

    And if they hadn't, no manufacturer would have adopted it.

    --
    ---- Booth was a patriot ----