Slashdot Mirror
Android Dev Demonstrates CarrierIQ Phone Logging Software On Video
Token_Internet_Girl writes with a followup to last week's news about Android developer Trevor Eckhart, who was researching software from CarrierIQ, installed on millions of cellphones, that secretly logged a variety of user information — from button presses to text message contents to browsing data. CarrierIQ tried to silence Eckhart, but later backtracked. Now, Eckhart has posted a video demonstration of CarrierIQ's logging software. From the article:
"The company denies its software logs keystrokes. Eckhart’s 17-minute video clearly undercuts that claim. ... The video shows the software logging Eckhart's online search of 'hello world.' That's despite Eckhart using the HTTPS version of Google, which is supposed to hide searches from those who would want to spy by intercepting the traffic between a user and Google. ...the video shows the software logging each number as Eckhart fingers the dialer. 'Every button you press in the dialer before you call,' he says on the video, 'it already gets sent off to the IQ application.'"
There is an asymmetry in the system as it works right now. Which private customers have the will, time, and money to sue companies that illegally wiretap their customers? Isn't there anything that can be done against this? (Of, I'm talking about action against CarrierIQ but about action against the carriers that use their software.)
That's just nasty. First try to silence the researcher, then try to deny what's going on when you've already been caught.
The question is, will this have any effect? Will carriers stop shipping this stuff ? Will consumers care?
My guess is no, they'll just try to hide it better in future.
Always been suspicious of the countless android apps that REQUIRE device permissions such as "full internet access", "read phone state and identity" etc...
Clearly that's what it is, it spies to enrich the company at your expense.
What software is actually affected? What phone models? What platforms? What applications?
If it's just AT&T and its victims, well, it's their own private little hell. Otherwise, some facts would be nice.
For now, (quoting from the article), phrase of "millions of Android, BlackBerry and Nokia phones" smacks of cheap propaganda and scaremongering.
Regards,
Ruemere
So, will someone set up a list for which products not to buy?
If I get a phone here in Sweden which is just plain vanilla stock version will that contain the software or is it something the service providers install on "their own" phones?
FTA: "it cannot be turned off without rooting the phone and replacing the operating system"
So even more reason to flash your droid with CyanogenMod or custom ROM of your choice.
Did Eckhart specify if this CarrierIQ could also relay microphone data in any way?
How many people have access services via mobile with their work accounts? More than a few I would guess.
I saw a comment on another website speculating that the NSA might be involved with this. I'm not nearly enough of a tinfoil hat wearer to accept that without any evidence, but I think it says something that this looks big enough that people think it must be a government effort.
Just another example of how Big Brother has gone corporate.
>[..] and an explanation as to what they are using it for, and how they verify that it isn't used for spying on people.
Ever heard of the NSA? This was designed to spy on people. Hmm... the only people interested in this sort of spyware are actual spies and criminals. So any carrier running this on their sets are either criminals or an NSA goal-keeper.
When somebody installs a skimmer on an ATM or fuel pump, there are criminal penalties for (attempted) fraud. How is this software any different?
There's the story about how intelligence was gathered by watching the number of pizza deliveries to the White House.
Imagine how much better this would be. Not only spying for the govt, and by the govt, but for corp espionage.
Company A: Hey, out data shows a number of people at our competitor are gathering at an off-site location...hmmm
rewriting history since 2109
They just need to find an internal cache that never leaves the owner's devices to really highlight this problem in the world's press
Linux is the kernel, neither Opera and Flash are required for the kernel or indeed many a distro ESPECIALLY Debian. There are many alternative browsers to Opera which has a tiny market share and not having Flash doesn't seem to have stopped iOS at all.
So, how does it feel to fail even at trolling?
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
would like to know whether apple/AT & T or apple/any other carriers do this on iphone too?
Their program is nothing more than a keylogger.
My karma is not a Chameleon.
I believe this rules out all Android devices with CarrerIQ agents from being used to handle payment card numbers. There's no obvious mention on CarrerIQ's website of PCI compliance or how they protect the user's data. It probably also contravenes SOX, HIPAA and and host of other industry regulations. Bye bye lots of commercial use of Android handsets, especially Blackberry.
...someone with skillz makes a freely installable CIQ clone that sends them back fake, randomly generated results.
You're only jealous cos the little penguins are talking to me.
I mean, really. Android (and the Android market and Android apps) already has grown a reputation of being full of crap and scamware and spyware and Google is somehow very much "we spy on you but in turn everything we offer is free" anyway. With things like that Google and the carriers just nail down Android phones as something you have to sell your soul for getting some free candy. And yes, people love free candy and have not really a use for their souls, but then smartphones aren't free at all. Things like this are just poison for the smartphone business, believe me.
Do they now have your details? What any other passwords you have entered on the device?
why Android phones are so laggy/sluggish.
-- Never hit a man with glasses. Hit him with a baseball bat.
I just checked a Desire HD we have here at work- bought in the UK a year ago, SIM-free, totally stock. No trace of CIQ in running applications. Maybe this is indeed US-only, or perhaps carrier-branded-only.
...wait, it's true, only in Corporate USofA and today!
Read P.K.Dick on world taken over by corporations. He wa a visionary, like so many S-F writers. They have foreseen all things that happen, technically and morally.
In this video, the researcher is looking at debug logs from the phone itself, not network traffic logs showing remote communication. He clearly shows that keystrokes and URLs are being passed to the IQ software running on the phone, but presents no evidence that the data is actually sent to anything outside of the phone.
Has anyone determined what the IQ software does with all this information besides writing it to the debug logger? Is it actually sent somewhere, or saved to persistent storage on the phone? (I'm no Android expert, but I'm under the impression that debug messages are discarded when there's no debugger attached.)
Having this software running in the background is sneaky and certainly makes spying more possible than it would be otherwise, but it's not necessarily the huge immediate privacy violation that everyone seems to be assuming it is.
I can see in the Video that the application gets notified about a lot of stuff, could someone show that the data actually leaves the phone?
So is this a +1 for the iPhone and Apple's need to control their shiz or our they doing the same thing internally? Since CarrierIQ is effectively a key logger doesn't that make it illegal" Are we going to see some legal action here?
"If any question why we died, Tell them because our fathers lied."
I have an AT&T provided Samsung Galaxy and don't see it on that phone. AT&T Support also provided the following:
Please note: Protecting your personal information is one of our highest priorities; hence, you will be required to provide account related information to ensure whom we are working with. Data encryption is also enabled to protect your personal information during this chat session. For more information please go to http://www.wireless.att.com/privacy/ or http://www.att.com/privacy/. Please wait for a site operator to respond.
You are now connected with 'Allison'.
Allison: Thank you for contacting Business Data Support. My name is Allison. Before we begin, can I confirm the wireless number that we will be working with is XXX-XXX-XXXX?
Me: Correct
Allison: I understand you want to know if your phone has CarrierIQ on it, is that correct
Me: Correct
Allison: I'll be more than happy to assist you, one moment please.
Allison: That does not come installed on any of our devices.
Me: Thank you.
Allison: If you need additional assistance specific to your device, you can view our website at http://www.att.com/biztech. We welcome your feedback; please take a moment to complete our Customer Satisfaction Survey. Thank you for your business and have a pleasant day.
Chat session has been terminated by the specialist.
That's probably the next step. Using a WiFi network and a packet sniffer, one ought to be able to see what traffic is generated.
I have an HTC Amaze from T-Mobile, and so far I haven't found any signs of a HTCIQ app. I suppose they could have renamed it, or maybe it isn't present. I will try the logcat thing later to see..
Some other folks were speculating that since you signed an agreement with your carrier that it somehow makes this legal. This is absolutely false. There are certain rights that you can sign away, certainly, but don't think of it like that. Think of it like, "What is Verizon doing with this data and how are they transporting it?"
Here's a few laws and industry regulations they are violating (by recording all keystrokes) off the top of my head:
1) The Payment Card Industry Data Security Standard (PCI DSS): If anyone ever (ever) enters credit card information into their phone (via an app, web page, whatever) that data must be protected according to the DSS (because all the carriers accept credit cards, that is). That means it must be encrypted in transit, when it is stored, and more importantly: certain information must *NOT* be stored (again, ever). For example, if a user enters the CVV2 from their card into an online form the carrier must ensure that this data does not get stored (good luck with THAT regex! hah!).
2) Graham Leach Bliley Act (GLBA). Undoubtedly, personally identifiable financial information is being recorded, transported, and stored without the user's knowledge or consent (each transaction/event would need its own notice and agreement with the carrier). That could add up to literally MILLIONS of violations.
3) Sarbanes Oxley: If they're recording this data they had better damned well keep an audit trail on it and be regularly disclosing that they're doing so to all their investors. They also must have documented controls & procedures and (likely) perform regular audits to ensure that said controls & procedures are being properly followed.
4) They can be held liable for having knowledge of crimes but not reporting them.
5) They can lose their common carrier status: Since they're now recording literally everything users do online they can be held (partially) accountable for what those users do. If you recorded the data you certainly could've audited it for fraudulent activity. "Have you been the victim of a crime that took place over a cell phone? Call the law offices of Sue & Win."
6) There's probably a dozen laws that say you can't intercept and/or store information related to people's banking accounts and financial transactions (unless you're the bank that the customer is interacting with). These laws are the ones that should make the carriers quiver in their boots. Some of these were written specifically to deal with gangsters and organized crime and as such could land executives in prison (not that I think the U.S. Attourney General would prosecute since our government is sadly, "stupidly hard on individual crime but soft on corporate crime").
7) Unless their contract specifically spells out that they're going to record every keystroke you enter into your phone they've opened themselves up to millions of lawsuits. If anyone ever wins one of these it will be game over for the carriers. "verizon" and "at&t" will likely become some of those "$50-per-click" Adwords on Google.
8) If they're not using proper encryption of this data in transit and storage, the PCI DSS will be the least of their problems... That's criminal negligence right there. After hearing all the controls the Payment Card Industry requires of the carriers for something as simple as a credit card number what jury could be convinced of a defense such as, "We didn't know!"?!? I mean, seriously. Forget being fired. If someone knowingly decided it was a good idea to record all keystrokes they should go to prison. It is the penultimate example of why you don't put non-technical people in charge of making technical decisions.
-Riskable
"Those who choose proprietary software will pay for their decision!"
It may just be counting them. From a press release [pdf] Carrier IQ issued about this issue:
While we look at many aspects of a device's performance, we are counting and summarizing performance, not recording keystrokes or providing tracking
If they count keystrokes they probably do that by adding an eventhandler to the appropriate event and have it add 1 to a counter on each keystroke. If you let a debugger show those method calls I would expect to see exactly what the video shows. The SMS and HTTPS search URL look similar to me: event handlers being called with event data.
Carrier IQ may be doing nothing more than they claim they do: count things. Perhaps they are doing nastier things, but I don't see anything that convinces me of that in this video. The video shows methods being called, not what is being done with the data.
Having said that, I think that a user should be the user's choice to have statistics being collected about him/her. It should be possible to disable Carrier IQ, it shouldn't even be enabled without the user's permission.
Yes another reason to not have a cell phone. I don't have one and don't miss this electonic leash a bit. I intend to enjoy these last few years of freedom before Big Brother REQUIRES us all to carry one. Already various states are thinking of requiring GPS-enabled transponders in cars.
The article says:
"By the way, it cannot be turned off without rooting the phone and replacing the operating system."
Can anyone elaborate on that? Does it mean that also those who flashed cyanogenmod are not safe?
Disclaimer: I have thoroughly reverse engineered CarrierIQ's software.
This issue has been blown out of proportion. CarrierIQ has hooks that respond to events triggered by keystrokes, web traffic, and SMS messages. It also makes the mistake of printing debugging output containing plaintext of some of this data, which is a pretty bad screwup. Additionally, there's no real reason CIQ should have hooks in those places in the first place.
What they don't do is actually store any of this information and report it to your carrier (keep in mind I know this because I actually looked at the application). In terms of what's actually being stored, I've seen no evidence that CIQ is collecting anything more than what they have publicly claimed: anonymized metrics data. That doesn't mean users shouldn't be able to opt-out of this software, since it still represents a potential risk to privacy. But at this point, this whole thing has turned into a witch hunt.
In short, there's a big difference between "look, it does something when I press a key!" and "it's storing all my keystrokes and sending them to my carrier!". This video demonstrates the first, but the second doesn't actually happen. They shouldn't be doing what they're doing, and users should be able to opt out, but this isn't nearly as evil as people are making it out to be.
On his site, while trying to define CarrierIQ as a rootkit, he pulls an excerpt from the definition on Wikipedia that states a rookit "subverts standard operating system functionality." This is absolutely true, but he then goes on to say:
Carrier IQ also subverts standard operating system functionality. For any application, I believe standard operating functionality includes having a descriptively named application; a launcher icon, settings menu, widget, or other method to allow the end user to access the application; and a privacy policy clearly available on the device the application is installed on.
Huh? This guy clearly does not understand what the word "subvert" means. It's tantamount to undermining the functionality of the operating system if you don't have a descriptively named application, a custom icon, a settings menu, widget, and a visible privacy policy? That has got to be the worst grasping of straws I've seen anyone attempt while trying to make a point.
I completely agree with his overall message -- this CarrierIQ thing is ridiculous and I hope they are eventually held accountable for their gross violation of privacy, but seriously now. It's not a rootkit for not having a settings menu, widget, custom launcher icon, or end user friendly application name. It's a rootkit because it can't be shut off and for all intents and purposes tries hard to stay hidden while completely violating the security of anyone using the phone.
How can i hire a team of specialises to read every EULA to make sure my privacy and rights to use a product i buy with my money to be used as i feel.
Is there a way to buy the/a device and use it without signing the EULA?
Can't someone simply write a spoof program to mimic Carrier IQ's output and send them spurious junk?
...capitalists spy on you.
I mean, I REALLY want it. I like it so much that I want my phone to continuously send a stream of keystrokes, URLs, and any other data that fits into their protocol directly to their servers, even if I have to stuff it directly from a random number generator. Hell, can I get 3 or 4 streams going at once? How about ten or more from my PC, tablet, and laptop too? My GPS numbers can demonstrate faster than light travel around the planet! Perhaps a direct feed rebroadcast from live news sites might help them fill their databases. They want data - let's flood them with it until their data is so full of garbage that no one will buy it.
On the one hand you take life too seriously, and on the other, you do not take playful existence seriously enough. Seth
Any quick way to find, do I have it installed? Non-rooted, factory default firmware, updated over the air to latest Android available for the device, which is 2.3.6.
We rely on the fact that CarrierIQ staff are reliable, trustworthy, vigilant and proactive. In that manner the CarrierIQ System will benefit everyone, not just the government.
Recently a man I knew passed away from a heart attack while attempting to make a 911 emergency call. He managed to dial "9" and "1", but not the final "1". The CarrierIQ system could have detected this and proactively alerted the relevant authorities. The CarrierIQ system is passively relaying data to the overseeing security/police authorities anyways so it is reasonable to request they modify the CarrierIQ system to proactively identify probable emergency scenarioes and help bring aid as soon as possible. Phones could have built-in sensors to activate and confirm the emergency scenario in order to prevent wasted resources from mobilizing.
Of course CarrierIQ has a lot of room for corruption and abuse. That's why these systems need transparency and accountability and other checks and balances. One thing is certain: the general public should pay more attention to CarrierIQ because it is so highly intrusive into our private lives.
Hats off to Trevor Eckhart for being so vigilant.
The video just shows, what events go into the local agent and not wether this information is stored and send anywhere.
It is the normal behaviour of most applications to filter out only a small part of interesting events for further processing.
Lots of other systems (eg desktop Windows for a long time) make pretty easy to get information about other applications input (which did not mean that every application receiving a specific event, is also using it).
So the interesting question would be, what is actually send.
A remark about the privacy policies (and EULAs alike): Do you really believe any user actually reads them (and understands what he is agreeing to)?
man i'm so happy to be rooted and alt-rommed today .... ah ah ah , is this little piece of crapware present on "most" platforms ?
Your argument is idiotic. Android is open source. They can not dictate the actions of the phone companies due to the GPL.
Anyone can roll their own distro with a root kit or spyware installed. The trick is to get the unwitting consumer to drink the poisoned Kool-Aid. Now that consumers have done so, with both Android and Apple products, they have no grounds to lay the blame on Google.
Apple develops the hardware, the OS, and the debugger - and it is all closed source.
Most of iOS is open source.
There could easily be something like CarrierIQ in the closed parts of iOS. However, it would not be useful to Apple unless it phoned home somehow, and that network activity is detectable whether or not the platform source is open.
To a Lisp hacker, XML is S-expressions in drag.
I guess the best way to find out is to call CarrierIQ (Phone: +1 650 625 5400) and ask how to stop/remove that !@*# software ... sorry I tried to be polite
It is not! illegal! for you to agree! to! the! carriers! collection of the data! which! is why! regulation specifically! making it illegal! or! spelling out your rights! is! required! to stop it!
And I prefer to be called Captain Kirk, thankyouverymuch
Seriously, nothing here in Slashdot or on that dude's website will catch the ear of Sprint, Verizon, etc. So take a minute and send an email to let them know you aren't happy about this. If enough people do it and it gets traction, then something might happen.
If you email from your smartphone, then you might not even need to hit the button....
CarrierIQ has posted a notice with (mostly false) information on their website. They include a media contact, Mira Woods, at (617) 513-7020. If you own one of these phones, call them and demand information on how to remove it or opt out of their data collection.
The more people they hear from, the better.
Recording of signal quality, etc., is done by Apple on an opt-in basis. It is off by default.
Apple's refusal to allow carriers to add whatever "enhancements" they wanted is the main reason it took so long for carriers other than AT&T to get the iPhone.
How is this not a national security issue? This the one of the many reasons they don't want the President using personal communication devices? I'd love to know if CIQ is loaded on Obama's phone.
I've been putting off buying a smart phone for years. First, because I didn't want another monthly bill and I rarely use my cell phone as it is.
Then the controversy with the iPhone and Android tracking your location.
Now the Android is logging keystrokes ( I would bet the iPhone is as well ).
The other week I found out I can get a pay as you go smart phone which fits my needs perfectly. I was planning to start shopping for an Android.
I think I will save myself some money and my privacy by skipping that chore for a few more months.
Carrier IQ can be removed from Android devices rather easily by either installing a custom ROM or installing an app that can be found on the Android Market. You can find more information on this at: http://www.android-advice.com/2011/remove-carrier-iq-ciq-keylogger-on-android/
If phones and their respective plans were purchased separately like in Europe this problem would most likely have been avoided along with a host of other problems such as bloatware, annoying carrier branding, etc...