Slashdot Mirror

← Back to Stories (view on slashdot.org)

CarrierIQ Tries To Silence Security Researcher

Posted by Soulskill on from the good-luck-with-that dept.

phaedrus5001 sends this quote from a story at Wired: "A data-logging software company is seeking to squash an Android developer's critical research into its software that is secretly installed on millions of phones, but Trevor Eckhart is refusing to publicly apologize for his research and remove the company's training manuals from his website. Though the software is installed on millions of Android, Blackberry and Nokia phones, Carrier IQ was virtually unknown until the 25-year-old Eckhart analyzed its workings, recently revealing that the software secretly chronicles a user's phone experience, from its apps, battery life and texts. Some carriers prevent users who actually find the software from controlling what information is sent." The EFF is hosting PDFs of CarrierIQ's C&D letter, as well as their response on Eckhart's behalf.

23 of 216 comments (clear)

  1. He should remove it. by Pastor+Jake · · Score: 5, Funny

    My Brothers and Sisters in Christ,

    This man is working to remove software which can be used to identify pedophiles, rapists, and other ungodly characters which are plaguing this nation. He should be brought to justice for undermining our government's attempt to keep our land free and Christian. I propose that we take this software a step further, and have it display a random Bible verse on bootup of the device, in order to spread Christ's message to the unsaved.

    God bless,
    Jake

    1. Re:He should remove it. by Ethanol-fueled · · Score: 5, Insightful

      While you are just trolling, the ultimate goal of the "total information awareness" program is in fact to quantify data used to predict events before they happen. This especially applies to the concept of "pre-crime," where your data would be fed through an algorithm. If your actions are undesireable to the establishment, then you will be followed and arrested with the first excuse they can muster.

      And a fact most appropriate to your user ID - Religious lobbying in America has increased 500%. Among the most important issues of religious lobbying groups are:

      - The relationship between church and state (pissing on that thing we call the constitution)
      - Civil rights and liberties for religious and other minorities(like the gays?)
      - Bioethics and life issues, including abortion, capital punishment and end-of-life issues(force people to have kids they don't want and prevent people in constant paint to pass peacefully, generally impede scientific progress)
      - Family/marriage issues, including definition of marriage, domestic violence and fatherhood initiatives(great job in the bible belt, with its higher rates of divorce)

      So yes, this is all related, because Christians are in charge of America, and Christians believe that everybody else should be subject to the same overbearing parenting that Christians were subject to as children. Big brother is their way of foisting their so-called "morality" upon everybody else, willing or unwilling.

    2. Re:He should remove it. by shutdown+-p+now · · Score: 5, Funny

      I propose that we take this software a step further, and have it display a random Bible verse on bootup of the device

      It's a wonderful idea, brother, but I would like to clarify something important first: KJV or NIV?

    3. Re:He should remove it. by jamesh · · Score: 5, Funny

      My troll-o-meter is pegging a 10, but it could be a poes law false positive.

      Yeah I got that too. You can never quite tell... some people really are that crazy. I think the "display a random Bible verse on bootup of the device" is a bit of a giveaway though. A smiley face emoticon at the end of the post would have been nice.

      Having an app that displays random bible excerpts each time you turn on your phone would be cool, although they'd have to be brief, eg:
      "kill every woman who has slept with a man"
      "save for yourselves every girl who has never slept with a man"
      "kill every man in the town. But you may keep for yourselves all the women"
      The more it can be taken out of context, the better!

  2. Carrier IQ's PA on the matter by RetailResTech · · Score: 5, Informative

    Looks like CarrierIQ is trying to save face in their PA http://www.carrieriq.com/Media_Alert_User_Experience_Matters_11_16_11.pdf I wonder, I'm not entering a contract with CarrierIQ, are they collecting this data to their own servers then sending the data to the carriers or are the carriers collecting the data?

    1. Re:Carrier IQ's PA on the matter by Anonymous Coward · · Score: 5, Insightful

      With the facts provided by your google research, with your search results tailor by google based on their analsys of your browsing behaviour...

  3. CarierIQ Protocol? by Guppy · · Score: 5, Funny

    the software secretly chronicles a user's phone experience, from its apps, battery life and texts.

    Let's hope someone succeeds in reverse engineering and implementing a copy of the CarrierIQ protocol, as I wish it to be known that my favorite App is the "Nude Crocheting Pocket Guide", and my current battery life is "Purple".

    I will also be happy to forward my texts (which I shall not utter here) to the phone company as well, as soon as an international SMS character set for the language of Morder is approved.

    1. Re:CarierIQ Protocol? by BenJCarter · · Score: 5, Funny

      Three tablets for the Executive-kings under the sky,
      Seven smart phones for the Dwarf-lords in their halls of silicone,
      Nine voice phones for Mortal Men still doomed to work,
      One App for the Dark Lord on his dark throne
      In the Land of Mordor where the Servers are built.
      One App to rule them all, One App to find them,
      One App to phreak them all and through the internet pwn them
      In the Land of Mordor where the hackers lie.

      --
      For in politics, as in religion, it is equally absurd to aim at making proselytes by fire and sword. - Publius
  4. Re:Why blame CIQ? by saihung · · Score: 5, Informative

    Did you read any of the linked documents? The criticism against CarrierIQ is not necessarily about what they're making, but that they are trying to shut this man up for telling the truth about their products under the guise of copyright claims. That deserves criticism, and lots of it.

  5. Ha! by Anonymous Coward · · Score: 5, Funny

    Let's see them track me on my landline! They'll never know where I am!

  6. Re:Most importantly... by TheyTookOurJobs · · Score: 5, Informative

    Root your phone and load a custom rom, that will take care of a few problems. CIQ, Bloatware, and you can freely tether your internet.

  7. Streisand effect? by sdavid · · Score: 5, Informative

    They'd better watch out for the Streisand Effect.

  8. does this really matter? by miserere+nobis · · Score: 5, Insightful

    I don't know how even on Slashdot there are some people who tend to argue "what do I care, if I'm not doing anything bad with my phone?" Let's get rid of that before it gets started here. I have a Samsung, Android, Sprint phone. That means I apparently have a logger installed that can track every key I press, every message I send, every web site I visit. That means that Sprint, Sprint employees, and whosoever Sprint or its employees should share this information with, whether that be government, advertisers, companies or individuals with malicious or invasive intent, whether this is shared on purpose or by accident or security breach, has access to such things as:

    • * All my bank accounts
    • * My email accounts
    • * All my associates, how often I call them, and what I say to them via text message
    • * The password to my KeePass database and every password stored therein

    • Phones are not just text messaging and dialing devices anymore. A keylogger on my phone is equally offensive as a keylogger on my home PC, and has the potential for just as great a compromise of my life's privacy and security. I have no control over the security with which Sprint or anyone else transmits or stores my personal information, and even more importantly, they have no right to have it in the first place. Besides the fact that the FBI has a well-known history of tracking the lives of many private citizens with politically motivated intent, I certainly do not care for the idea of private corporations and whoever works for them having all of my passwords and knowing where all my accounts are. There is no reasonable argument for why I should think this is okay. I do not have to be doing anything illegal for me to reasonably object to my mobile phone company having, or storing (with who knows what security), a back door into every single piece of my life. Somebody whose involvement in my life is supposed to be merely providing me with telephone service does not need and has no right to expect the master key to my whole digital, financial, social, and business life.

      I will be contacting Sprint and asking them for a means to permanently remove this software from my phone. If they are unwilling (which they probably will be, but they need to actively hear a complaint from me and everyone else so they understand the offensiveness of their actions), I will have to go down the "root it and fix it myself" path. I hope the rest of you with affected phones will do the same.

    1. Re:does this really matter? by exomondo · · Score: 5, Informative

      As I understand the article this only tracks:

      key presses on the dialing pad. So they can see what phone number you called, but not what you type in general. When a text is received, not the content of the text

      FTFA:
      “We’re not looking at texts. We’re counting things. How many texts did you send and how many failed. That’s the level of metrics that are being gathered,” he said.

      He answered “probably yes” when asked whether the company could read the text messages if it wanted.

  9. Cease & Desist fail??? by OzPeter · · Score: 5, Funny

    Is it me, or is the first point in the "Agreement" that CarrierIQ wants Eckhart to sign actually imply that CarrierIQ is performing the illegal copying???
     
     

    I _______, agree to immediately
     
    Cease and desist your unlawful copying of the Training Manuals

    --
    I am Slashdot. Are you Slashdot as well?
  10. Re:Why blame CIQ? by miserere+nobis · · Score: 5, Insightful

    This is like saying that a person who follows and videotapes everything you do, from your bedroom moments to your PIN-entering moments, serves a legitimate purpose by being able to report usage metrics on how well your shoes meet your needs in getting you from place to place, and that the existence of the Nike Stalker Program therefore, because it can help bring about better footwear, is a Good Thing. Highly misplaced acceptance. While I would be happy to see my shoe companies take an active interest in how comfortable or uncomfortable I am while wearing their products for certain types of activities, subjecting me to complete surveillance in order to carry this out is inappropriate, morally wrong, personally unacceptable, and falls very much into the Bad Thing category.

  11. Re:Why blame CIQ? by Nursie · · Score: 5, Interesting

    Wait, he shines the light of day on a key logger, data recorder and total invasion of privacy, customised for carriers so there are no opt-outs, and he's beating up on them for no reason?

    Jesus....

  12. Does rooting and CM7 get rid of it? by EmagGeek · · Score: 5, Interesting

    This is the only question I have right now. It's only a minor process to root my phone and install CyanogenMod on it.

    Someone I was speaking with today was theorizing that there is actually a hypervisor layer running on smart phones, so even if you do root it, you're still not really getting raw access to the hardware - you're just rooting one VM, and this spyware runs in the hypervisor. I don't know how true this is, but I figure someone here knows.

    1. Re:Does rooting and CM7 get rid of it? by Anonymous Coward · · Score: 5, Informative

      Hypervisors aren't that stealthy, and can be made to reveal themselves quite easily once you perform a trapped instruction. Aside from the massive research cost in coming up with some kind of truly stealthy hypervisor, it would also significantly increase unit costs. So no, there's no hypervisor.

  13. Re:Why blame CIQ? by Zero__Kelvin · · Score: 5, Insightful

    "The problem is that you should be allowed to opt out. "

    Actually, it should be opt-in.

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  14. Re:Why blame CIQ? by Anonymous Coward · · Score: 5, Interesting

    I work for a handset OEM. The requirement to install CIQ on a handset is a mandatory requirement that has come in over the past year or two - the last phone we did just missed having to have it implemented. It is the carriers who get the logging information and we have to do the porting. I agree that users should absolutely have the ability to opt-out of this kind of snooping, but so far there's no requirement for such a setting. I *do* expect to see it very soon though if the carriers know what's good for them. Pressure to drop preloaded craplets worked with Sprint and to a certain extent AT&T, so I expect those to be first with an amended set of requirements, if indeed they don't drop CIQ like a stone for all the bad press they've caused.

  15. You might want to send something like this to them by Tuxedo+Jack · · Score: 5, Informative

    Ms. Woods,

    I possess and use an HTC EVO 3D smartphone in line with my daily duties for my employer and various clients. This phone contains your employer's software (CarrierIQ for Sprint), which was bundled with the device and zero disclosure that it was installed or of its capabilities.

    My device contains HIPPA-protected data (specifically relating to EMR software and the data contained therein) as well as PCI-DSS related information for my company's various clients. As such, it is protected by all manner of privacy laws, the breach of which results in severe penalties under United States law.

    After reading Trevor Eckhart's research and doing some of my own, I am curious as to specifically what data your organization is capturing on Sprint's behalf, as well as to what extent they have customized their build of your software, and what its capabilities with their modifications are.

    If the software, either in its original form or modified, does indeed capture data from a phone, including the ability to take screenshots or access the contents of e-mail accounts or SMS messages, this could potentially be in violation of all manner of privacy acts, depending on what data is being harvested and whether your client has the option to turn such collection on or not.

    Please note that, among other techniques, I will be disassembling the binaries that I possess on my device and will be comparing it against the original ROM image that HTC has issued for this device in order to differentiate what, if any, changes are pushed out through over-the-air updates in order to determine the capabilities of the software as best I can.

    To the best of my knowledge, I have never accepted any license agreements or restrictions regarding the software on my device, and as such, I am not bound to refrain from analyzing the software as I see fit, nor from having the results peer-reviewed and published once completed.

    If your department is unable to answer my questions, please relay this to someone else inside your organization as you see fit.

    I remain,

    INSERT_NAME_HERE

    --

    Striking fear in the authors of godawful fanfiction, I am here, appearing in darkness, Tuxedo Jack!
  16. Re:You might want to send something like this to t by maevius · · Score: 5, Insightful

    Although I would like this to work, I'm familiar with PCI-DSS and I'm pretty sure that it's your fault for keeping this data on a cell phone which is not PCI-DSS compliant and not the carrier's/CarrierIQ's