Slashdot Mirror
Researchers Say Carrier IQ Isn't Logging Data, Texts
Trailrunner7 writes "Security researchers who have investigated the inner workings of the Carrier IQ software and its capabilities say the application has some powerful, and potentially worrisome capabilities, but as it's currently deployed by carriers it doesn't have the ability to record SMS messages, phone calls or keystrokes. However, the researchers note there is still potential for abuse of the information that's being gathered, whether by the carriers themselves or third parties who can access the data legitimately or through a compromise of a device. Jon Oberheide, a security researcher who has done a lot of work on Android devices, also analyzed several versions of the Carrier IQ software and found the software has the ability to record some information, but that doesn't mean it's actually doing so. That part is up to each individual carrier. However, he says the ability to collect such data is a dangerous thing. 'There is a lot of capability to collect sensitive data, which is dangerous in any scenario,' Oberheide said in an interview. 'It's up to the carriers to use the software as they choose, but you could sort of put some blame on Carrier IQ. But they put it on the carriers.'"
For those who don't want to trust in the good will of Carrier IQ or carriers themselves, here are a couple ways to get it off your phone.
Another comment to this news would, perhaps be:
"Yeah, right."
I mean, is this an attempt at spin? (I'm genuinely asking. I didn't read the summary.)
If it isn't GPL-licensed and built by a collective herd of protesting armchair engineers, it must be a tool by corporate government cronies to invade our privacy and steal the vital details of how often we wash behind our ears.
That was sarcasm.
You do not have a moral or legal right to do absolutely anything you want.
Can our learned friend Jon elaborate as to whether this is legal under US law? Let him say it is, instead of trying to dampen the outrage surrounding this whole issue. I say this because a further below, he opines by saying the following:
Key words: "dangerous in any scenario"
There you have it. We surely should expect more from these companies. Someone should go to jail over this.
Here are three random articles from the front page of Slashdot, Reuters, and TheStreet.com:
Once upon a time, the important part of the URL - the identifier of 2225202 at Slashdot, idUSTRE7B019B20111205 at Reuters, and 11332765 at TheStreet - was all that a potential URL-logger got to see. URLs were not only shorter, they had meaning relevant only to that one particular site's CMS, and it required Yahoo/Google/Bing/government-sized resources to follow every such link and map URLs to content on scales as big as "everyone who uses the WWW".
Except that nowadays, most URLs are rewritten with-redundant-text-for-SEO-purposes. Slashdot's URLs say researchers-say-carrier-iq-isnt-logging-data-texts Reuters' URLs say us-russia-election and TheStreet's URL says its-official-facebook-buys-gowalla-team.html.
All of a sudden, if I have access to the URL stream, I can now figure out that you're interested in Carrier IQ's spyware, the Russian elections, and whatever Facebook is up to this week -- with nothing more complicated than "grep".
I'm not advocating tinfoil haberdashery: there's no grand conspiracy of webmasters to make clickstreams greppable. It's merely a regrettable (for end user privacy) side effect of the relentless push towards SEO that organizations like Carrier IQ can get a lot more "interesting" information out of a user's clickstream than they would have been able to do as recently as two years ago.
It should be legally prohibited, with severe civil and criminal penalties.
If I use any modern mobile 'phone then I assume anything I put on it and where it is can be read by the OS vendor and the carrier. The environment is too tightly controlled and lacking in openness for me to be able to come close to verifying otherwise. We can assume that the facility is only used on rare occasions because one significant revelation of data transmission will put people off buying the product, IOW the only thing keeping anyone safe is the "you're not important enough to matter" card.
But if you're doing anything remotely interesting, whether that's in industry or activism, you'd be a fucking idiot to use the routine features of a smartphone.
Indeed, and carriers of course could already view and record text messages. They don't need an app for that.
If Pandora's box is destined to be opened, *I* want to be the one to open it.
If CarrierIQ is making money from studying my behaviors, then I want a cut or I want to uninstall their craptastic software. I should not be forced to consume software I do not want. If Android wants analytics, then build it into Android OS. My relationship is with my phone manufacturer and the OS manufacturer. I should be able to decide what other relationships I want. CarrierIQ can contact me if they think their software somehow adds value to my experience. Otherwise, do more testing.
Would Carrier IQ make any sense for other devices like a Kindle? Not phones but still networked. Someone asked me and I had no idea.
If someone at the carrier wants to record every SMS, phone call, or conversation then he or she has much simpler ways to accomplish the task. The carrier sees every exchange through its own equipment and could simply log the exchange in the network - at the network switch or cell site. Why is an application installed at the endpoint something especially sinister?
Who exactly were you referring to there? Slashdotters like to take to piss out of conspiracy theorists as much as they like to report on them. If it was a worthy conspiracy theory to start with in the first place; sounded more like a market analysis tool to most of us, I expect.
If I had a DeLorean... I would probably only drive it from time to time.
Dammit, there goes my who-i-detest-most-internet-meme of the week...
sysadmins and parents of newborns get the same amount of sleep.
but those carriers that installed it on cell phones just might be.
My karma is not a Chameleon.
Why do people try and point a finger at CarrierIQ? Do you blame Smith & Western every time someone gets shot? Do you blame Volvo when someone steps in front of one of their busses? Do you blame Jack Daniels when someone drinks themself to death? If anyone wants to do any finger pointing it should be at the one responsible for installing and configuring the software - the carriers themselves.
Haha, this post reminds me of the commercial where the girl is talking about her parents and the internet; where she read an article, well part of an article......
This was known days ago. Of course that fucks up your nice little conspiracy theory, so it wasn't posted.
Carrier IQ has admitted that it records URLs of every web site you visit on your mobile device, and sends it to the carrier.
So there is another subpoena target for the authorities. Even your ISP doesn't necessarily get that information. Why should your carrier?
Sig Battery depleted. Reverting to safe mode.
Do you really think that the carrier doesn't already know that information? Your ISP does get that information; it has to route your packets using something other than magic fairy dust. They even use that information to shape their traffic and optimize their proxy servers.
Carrier IQ has admitted that it records URLs of every web site you visit on your mobile device, and sends it to the carrier.
In other news, Netgear admits that sometimes malicious packets travel through routers made by Netgear, and Intel concedes that it enables x86-based malware by continuing to produce microprocessors. The software was paid for and installed by the carriers. Carrier IQ is a solution provider.
This was basically a FUD campaign and I won't be surprised if it was funded mostly by Microsoft.
It's pretty obvious they pay marketing shills like InsightIn140Bytes to bash competitors and praise Microsoft on forums like Slashdot and Reddit. He's just the last in line so far of a long line of slashdot users (ge7, tech4, techLA, sharklaser).
Yeah! Stupid freedom mongers! Corporations would never lie to us! It's so stupid being a little person interested in sharing. Being a corporate lackey is where it's at. Kiss up - kick down! :)
Some of my favourite people are from th US; Vonnegut, Chomsky, Bill Hicks.
Fact is: They sold you a phone with a rootkit installed that could record and transmit anything without your notice or your consent. That's still fucking bad enough for me. Claiming that "it wasn't activated by default" doesn't change a bit of it.
Oh, the beautiful gloss of greality!
"but as it's currently deployed by carriers it doesn't have the ability to record SMS messages, phone calls or keystrokes."
"Currently" is the key word here and is subject to change over time!
Your ISP does get that information; it has to route your packets using something other than magic fairy dust.
Wait,,,,
Doesn't ones browser resolve the IP address using DNS, and then send the request directly?
Do ISP DNS servers log such look-ups?
I can't imagine an ISP, unless they are running a caching proxy, having the ability to log every single URL from every browser on their network. Even when they do run a caching proxy its a LRU+Currant content computation, not a logging operation. High volume pages stay current because they are hit frequently.
I think the GP meant that your ISP does not log URLs other than those on their own web servers. The rest pass thru as data.
The sarcasm notation would have better served the public had it been opt-in (i.e. prefacing your comment).
[captcha=hammered; hammer is host of the SNL rerun currently running on netflix.]
ISPs can log every request. There is no pass through. a DPI system can log every packet and get page and url data for every site you visit. you can also do this at home without fancy isp hardware. just install tomatousb on your router and set it to log every url.
As usual, the crux of the matter has to do with TRANSPARENCY and CONSUMER CONSENT. The question of whether or not CarrierIQ is actually capturing user behavior through the software is important, but actually secondary to the fact that the carriers themselves do not TELL the consumer that (1) we've installed this logging software on your device; (2) it is not possible through normal means to deactivate it; (3) this software runs without any disclosure or agreement in your contract; (4) this software runs on your device even if you are no longer under contract or even subscribed as our customer; and (5) this software is not an integrated component of the device's operating system.
And why don't they tell you these things? Because they can get away with it. The fact that this software is so hidden from the user, and is NEVER mentioned in any of the legal documentation you are asked to sign, is all the reason why the consumer cannot and should not be expected to simply take either the mobile network operator or CarrierIQ at their word when they say they're not tracking personally identifiable information. Yes, researchers have chimed in with their findings. But such broad, unregulated, and pervasive tools as CarrierIQ have enormous potential for abuse, and it is simply unacceptable to allow these companies to just chalk it up to "sorry we kept this a secret from you, but TRUST US, it's all perfectly innocent." Yeah, bullshit. If it were truly so innocuous, why did you go through such lengths to hide it and make it difficult to disable or remove?
What could possibly go wrong? Maybe everything, if you're Newet Gringrich, or Herman Cain.
Here's the thing. I think this whole CarrierIQ debacle is being played up in the media for exactly the reason stated in the title, because it ISN'T logging data, texts. It really isn't sending your data back to the carrier, government, or whomever. What it does, is far beyond the understanding of the average consumer of the nightly news. So the media will trot out the experts who say, "This software does not send your data back to the carrier, it just hooks the keyboard for diagnostic purposes at a level beneath the userland of the Android operating system."
And, whoosh.
In the minds of the masses, it was harmless.
But it isn't harmless. The software certainly has the capability of monitoring/logging/reporting every keypress on the phone and sending it to whomever it's configured to send it to. No one outside the "slashdot-esque" crowd knows much about rootkits, system hooks, etc. etc., however. But now, whenever someone mentions the fact that phones are spying on you, everyone can come out and say "No, they're not. Didn't you hear? CarrierIQ was harmless. You're a tinfoil-hat nutter!" Even though they still will be monitoring everyone, either through this method, ones hidden better, at the switching center, or voluntarily (Facebook, etc.) And it'll be business as usual.
Right now, you can be pretty certain your phone isn't doing any real, wholesale spying, since to transport that amount of voice/video, or whatever type of data will kill your connection and drain your battery faster than you can say "fourth amendment" (until you connect to wi-fi, of course). The real trojan horses are the 4G networks. Especially once LTE connections are the norm, it will be trivial to log a tremendous amount of real-time "intelligence" (because that's exactly what these phones are, intelligence gathering tools) and quickly whisk it up to whomever wants to see your data without you noticing. I'm sure it'll be as simple as someone in a spook hideout pressing a button and, voila, the 4G network is providing them a real-time peek and listen into your life.
They're not kidding: Intelligence Everywhere!
CarrierIQ claiming the responsibility is all on the carriers is a bit of a stretch. It's like a lock manufacturer giving your home builder (or mortgage company) a key to your house, then trying to claim they have no responsibility for how the home builder (or mortgage company) uses that key. Claiming "we didn't know they were going to rob or rape you" doesn't really absolve them of responsibility or liability.
make imaginary.friends COUNT=100 VISIBLE=false
In fact, by definition they do do this as they act as the intermediary between any two devices.
Never say never. Ah!! I did it again!
Every email that you send whether encrypted or not travels through multiple servers on the internet and is stored, at least temporarily on each of those servers as it routes through the internet.
If you are concerned about privacy, you should not divulge sensitive information on the internet or use encrypted email and/or more secure point to point protocols.
The stark reality however, is that nobody is interested in spying on boring ordinary people never mind that spying on everyone would be prohibitively expensive and a logistical nightmare.
Jesus was a compassionate social conservative who called individuals to sin no more.
"United States Patent US 7,551,922 B2 Jun. 23, 2009"
.. The queries may be structured in such a way that performance information is gathered about the effect of a simple activity, such as a button press by the user, or information may be gathered about more complex transactions" link
"tracks the data collection activity occurring on the devices and maintains detailed information about the specific data collection profiles that are active on the devices
It CAN record. However, carriers have to pay for it and NO carrier would actually do that simply because it's worthless data + crosses too many lines ethically speaking that not even a big company would think they could get away with.
People like you and your train of mis-information is what gives sites like Slashdot such a horrible reputation and you should be ignored.
Here's a quick summary regarding keystroke logging made by the two recent articles:
Original video that demonstrated CarrierIQ logging keystrokes. I.e. not a theoretic capability, nor a risk, but actual entries into the system log. This was performed on an stock HTC Evo 3D.
This article is asserting that CarrierIQ does not contain the necessary hooks for keystroke logging on the Samsung Epic 4G Touch.
IOW, the two articles are not making the same claim. It is already known that different phones have different versions of CarrierIQ. This article isn't claiming that no phone has the capability to log keystrokes, merely that the Epic does not. The original article wasn't claiming that all phones are logging keystrokes, merely that the Evo is. Methinks someone is trying to manipulate public opinion, as the original video is surprisingly difficult to find, and this article's claims were immediately exaggerated and that version of the story was popularized.
Fact is: They sold you a phone with a rootkit installed that could record and transmit anything without your notice or your consent.
My phone was not purchased from Carrier IQ.
That's actually collectivist armchair douche canoes who know what's best for you.
I'd go on a Vegan diet but the delivery time from Vega is too long. --brownkitty
We never saw data leave the device. Simple. Don't trust anything, and prove data being sent with actual packet captures. Echkart's video shows events being caught, nothing more, as you pointed out. If someone says the next wave is harmless, it is simple to demonstrate that it's not. Explain it with as few syllables as possible with a video that anyone could reproduce. Get the word out right now that Eckhart's vieo is misleading, even if people don't understand exactly why.
Distrust everything, even security researchers. Double check their results yourself, especially if their conclusions follow from the data.
Video clearly shows it logging every keypress so I guess that fucks up YOUR nice little conspiracy theory.
http://www.wired.com/threatlevel/2011/11/secret-software-logging-video/
Forgetting about the argument if the OS being owned or licensed by the phone owner, the actual hardware is owned by the user. And even assuming that the cell providers were complicant in installing the software... Any software installed without the consent or knowledge of the user is using processor resources. Would the use of use of clock cycles without permission be considered theft of services? Before laughing, too hard, imagine what would happen if someone broke into any corporate computer in the world and was running processes without consent. The scale of the hardware isn't relevent. The face that someone bought a piece of hardware with certain advertised specs, but was denied 100% access to them because a third party unknowingly was hijacking a certain percentage of them for it's own uses.
I have watched the video. I don't see anything at all suspicious about it. Events which occur on your phone are processed and dispatched through some central service, and it's possible to monitor these things as they happen. Wow, that's a shocker.
In other news, the Windows OS intercepts all your keystrokes and processes all your packets. Keep your head down, the sky is falling.
The only ones claiming that it's not logging keystrokes are industry flacks. Anyone else can turn on the debugger and see that android calls a carrieriq function with the keycode on every keystroke, just like the videos show.
I'm sure that function is just a NOOP. For now.
Holding data and sending it later when the transmission would not seem out of place is trivial. It is possible to discover spyware through packet-sniffing, but quite impossible to certify that spyware does not exist on a system. (This is why people who do anything but reformat and restore from backup in case of security breaches or virus infections are idiots.)
For everyone, there's always a first time. For you it happens to be now. Your outrage is understandable and justified.
But now you know that almost all computers come with malware of some kind preloaded, and that it is especially expected when purchased from ISPs. If you buy another one tomorrow, knowing and expecting this, will it still be without consent?
Fool me twice, shame on me.
If it isn't GPL-licensed and built by a collective herd of protesting armchair engineers, it must be a tool by corporate government cronies to invade our privacy and steal the vital details of how often we wash behind our ears.
That was sarcasm.
No, that was below the belt! We were on a rant high and there you come and spoil the party.
Seriously though, logging stuff you would send over SSL is pretty scary. It circumvents the whole concept of being able to communicate securely over an insecure medium. Then CIQ isn't killable or removable by mortals. Still CIQ cs. claim they only press petals.
I hadn't the slightest objection to his spending his time planning massacres for the bourgeoisie... (P.G. Wodehouse)
Don't you mean a GNU HURD of protesting armchair engineers? ;)
Spyware is spyware, Carrier IQ knew what they were doing when they wrote it. Saying 'blame the carriers' ignores the fact that Carrier IQ salesmen at some point went to the Carrier and said "wouldn't it be great to know exactly what your customers are doing with their phones, where they use it, how they use it, what they run, which videos they play offline".
Carrier IQ were the ones made it not uninstall.
Carrier IQ didn't put the opt in feature in.
Also you are implying the Carriers had agreement to do this from the users, and customers are outraged. But if customers had agreed to this, why are they outraged?? Because they didn't. There was no opt in possible with this, it was placed on their phone and until recently we only found out what it was doing.
The point is that if I buy a computer, I should do exactly what I want it to do. Installing any sort of software which I don't want for any reason is a step in the wrong direction.
Seriously, we need to get the operators and the hardware companies out of the software loop. I get my software from one place, the hardware from another and the wireless service comes from a third.
I think he meant "they" as in "The Man," not as in "Carrier IQ."
Kid-proof tablet..
Why should I care about what CarrierIQ does or does not after I switched to a phone that doesn't have CarrierIQ?
This story is my favorite butthurt story so far and I really enjoy it seeing CarrierIQ fail, even though I do not care what CarrierIQ does or does not. My time is too precious for that.
Actually, you may be joking, but the market demands it. By its very definition.
You can either be a company who doesn't do it, hence make less money, and die out.
Or you can be a company who does it.
The only thing stopping companies from raping and killing everyone and everything for money, is those pesky laws.
(Because somebody would start it, would become big, and either you'd start doing it too, or get stomped out. [Quite literally])
But they fight hard to remove them, so they can have. what they call "the free market".
It's that simple.
Yes, but not keystrokes. That's another story.
There was a time when all your text messages were included on your phone bill, or at least mine... but this was also 8 years ago...
"Be polite, be professional, but have a plan to kill everybody you meet." General James Mattis
Carrier IQ may still be snooping at a level closer to the user, and therefore getting more accurate information.
I have set up my Android browser (Firefox) to use a local proxy which is an ssh tunnel to a trusted web server somewhere. I do this so I can happily use all manner of suspicious open wi-fis at restaurants, hotels and such. (I wouldn't mind running without the ssh tunnel when I'm using mobile broadband from my telcom but switching Firefox back and forth between the two modes is just too impractical.)
In this case, my telcom/ISP wouldn't see my web traffic only by inspecting my packets because they're all ssh traffic. Carrier IQ might still have the actual URLs though if it captures them directly from the web browser.
sigs are hazardous to your health
I fixed that issue. I just bought a Nokia N9.
* Carthago Delenda Est *
Lets get some random "security researchers" and have them vouch this isn't logging anything. We just won't let them tell you it just phones home key metrics such as where you been. No that isn't logging, it's quality assurance..
I'm sure you'd love it if Windows reported every single keystroke you did on your computer to Microsoft. Which in theory is exactly what this app does on your smartphone.
Let's ask who paid for research. Was it Carrier IQ? How was the research performed? Was it unbiased? Carrier IQ seems like a company that is trying to hide something. Anyone who threatens lawsuit first instead of amicable resolution is guilty of something.
It's interesting that even now carriers can deduct bandwidth you use to connect through their app to get some help/assistance or account info. Akin to calling *611 which will not be counted toward your monthly minute allowance.
Which means Carrier IQ could be using up loads of bandwidth, but your carrier will not count it against your limit.
The only way to tell is to install a 3rd party bandwidth usage monitor, or by your battery life.
CarrierIQ hired this company to write this article.
Neither the video nor any other piece of "evidence" I have seen yet gives any sort of indication that any data is being sent anywhere. Period. Show me a network trace with packets containing keystrokes, and I'll believe it's happening. It's a simple requirement.
All government employee's cell phones that are paid by the taxpayer should have CarrierIQ installed and upload all information including emails, texts, keystrokes, pictures, etc to public server so that the taxpayers can see what they are paying for.
Original video [youtube.com] that demonstrated CarrierIQ logging keystrokes. I.e. not a theoretic capability, nor a risk, but actual entries into the system log. This was performed on an stock HTC Evo 3D.
It's not the system log you see in the video, it's a debugger. What you see is an event handler hooked up to the keystroke event being called for each keystroke, with the keycode as a parameter. According to the researchers only keycodes entered in the phone dialer are sent, other keycodes are ignored. Which keycodes are processed is chosen in the event handler, not by the OS, that simply calls the handler on every keystroke. The theoretic capability is that, if programmed differently, the event handler could just as easily have processed all keystrokes.
> The patent tells us nothing ..
What makes you say that?
"a US FOI report suggests that the FBI is using data captured by the creepy smartphone snooping app" link