Slashdot Mirror

← Back to Stories (view on slashdot.org)

CarrierIQ Tries To Silence Security Researcher

Posted by Soulskill on from the good-luck-with-that dept.

phaedrus5001 sends this quote from a story at Wired: "A data-logging software company is seeking to squash an Android developer's critical research into its software that is secretly installed on millions of phones, but Trevor Eckhart is refusing to publicly apologize for his research and remove the company's training manuals from his website. Though the software is installed on millions of Android, Blackberry and Nokia phones, Carrier IQ was virtually unknown until the 25-year-old Eckhart analyzed its workings, recently revealing that the software secretly chronicles a user's phone experience, from its apps, battery life and texts. Some carriers prevent users who actually find the software from controlling what information is sent." The EFF is hosting PDFs of CarrierIQ's C&D letter, as well as their response on Eckhart's behalf.

8 of 216 comments (clear)

  1. Carrier IQ's PA on the matter by RetailResTech · · Score: 5, Informative

    Looks like CarrierIQ is trying to save face in their PA http://www.carrieriq.com/Media_Alert_User_Experience_Matters_11_16_11.pdf I wonder, I'm not entering a contract with CarrierIQ, are they collecting this data to their own servers then sending the data to the carriers or are the carriers collecting the data?

  2. Re:Why blame CIQ? by saihung · · Score: 5, Informative

    Did you read any of the linked documents? The criticism against CarrierIQ is not necessarily about what they're making, but that they are trying to shut this man up for telling the truth about their products under the guise of copyright claims. That deserves criticism, and lots of it.

  3. Re:Most importantly... by TheyTookOurJobs · · Score: 5, Informative

    Root your phone and load a custom rom, that will take care of a few problems. CIQ, Bloatware, and you can freely tether your internet.

  4. Streisand effect? by sdavid · · Score: 5, Informative

    They'd better watch out for the Streisand Effect.

  5. Re:Does rooting and CM7 get rid of it? by Anonymous Coward · · Score: 5, Informative

    Hypervisors aren't that stealthy, and can be made to reveal themselves quite easily once you perform a trapped instruction. Aside from the massive research cost in coming up with some kind of truly stealthy hypervisor, it would also significantly increase unit costs. So no, there's no hypervisor.

  6. Re:does this really matter? by exomondo · · Score: 5, Informative

    As I understand the article this only tracks:

    key presses on the dialing pad. So they can see what phone number you called, but not what you type in general. When a text is received, not the content of the text

    FTFA:
    “We’re not looking at texts. We’re counting things. How many texts did you send and how many failed. That’s the level of metrics that are being gathered,” he said.

    He answered “probably yes” when asked whether the company could read the text messages if it wanted.

  7. You might want to send something like this to them by Tuxedo+Jack · · Score: 5, Informative

    Ms. Woods,

    I possess and use an HTC EVO 3D smartphone in line with my daily duties for my employer and various clients. This phone contains your employer's software (CarrierIQ for Sprint), which was bundled with the device and zero disclosure that it was installed or of its capabilities.

    My device contains HIPPA-protected data (specifically relating to EMR software and the data contained therein) as well as PCI-DSS related information for my company's various clients. As such, it is protected by all manner of privacy laws, the breach of which results in severe penalties under United States law.

    After reading Trevor Eckhart's research and doing some of my own, I am curious as to specifically what data your organization is capturing on Sprint's behalf, as well as to what extent they have customized their build of your software, and what its capabilities with their modifications are.

    If the software, either in its original form or modified, does indeed capture data from a phone, including the ability to take screenshots or access the contents of e-mail accounts or SMS messages, this could potentially be in violation of all manner of privacy acts, depending on what data is being harvested and whether your client has the option to turn such collection on or not.

    Please note that, among other techniques, I will be disassembling the binaries that I possess on my device and will be comparing it against the original ROM image that HTC has issued for this device in order to differentiate what, if any, changes are pushed out through over-the-air updates in order to determine the capabilities of the software as best I can.

    To the best of my knowledge, I have never accepted any license agreements or restrictions regarding the software on my device, and as such, I am not bound to refrain from analyzing the software as I see fit, nor from having the results peer-reviewed and published once completed.

    If your department is unable to answer my questions, please relay this to someone else inside your organization as you see fit.

    I remain,

    INSERT_NAME_HERE

    --

    Striking fear in the authors of godawful fanfiction, I am here, appearing in darkness, Tuxedo Jack!
  8. Re:RTFP! by quixote9 · · Score: 4, Informative

    Actually, no. EULAs, TOS, whatever, which contravene actual laws, are invalid. You couldn't, for instance, bury a clause in a sale contract stipulating that by signing the buyer had agreed to be your slave. Or, you could, but it wouldn't hold up in court.

    And that's the problem. Very few of us have the money, energy, or time to fight all the bullshit contracts we have to sign. So they haven't (yet) been thrown out of court. That doesn't change the fact that they're garbage.