Slashdot Mirror

← Back to Stories (view on slashdot.org)

EFF Reverse Engineers Carrier IQ

Posted by samzenpus on from the see-how-it-ticks dept.

MrSeb writes "At this point we have a fairly good idea of what Carrier IQ is, and which manufacturers and carriers see fit to install it on their phones, but the Electronic Frontier Foundation — the preeminent protector of your digital rights — has taken it one step further and reverse engineered some of the program's code to work out what's actually going on. There are three parts to a Carrier IQ installation on your phone: The program itself, which captures your keystrokes and other 'metrics'; a configuration file, which varies from handset to handset and carrier to carrier; and a database that stores your actions until it can be transmitted to the carrier. It turns out that that the config profiles are completely unencrypted, and thus very easy to crack."

31 of 103 comments (clear)

  1. If it's unencrypted... by Anonymous Coward · · Score: 5, Funny

    ...why would anyone have to crack it? Just open and read it. BRB, I'm going to 'crack' these jpegs of naked ladies.

    1. Re:If it's unencrypted... by Anonymous Coward · · Score: 5, Insightful

      'crack' is a vague expression. It says that it's unencrypted, which doesn't mean it isn't encoded. If you read the articles, it will be clear that by cracking they mean understanding what's in there.

    2. Re:If it's unencrypted... by Anonymous Coward · · Score: 5, Insightful

      Unencrypted != human readable.

      Obfuscated bytecode is unencrypted and still takes a lot of effort to make sense from.

    3. Re:If it's unencrypted... by Anonymous Coward · · Score: 5, Informative

      Being unencrypted and being human readable are two different things. Reverse engineering includes figuring out the data structure and format and actually figure out what bit means what data. Generally a simple process if it isn't compressed, encrypted or complex, but still reverse engineering.

    4. Re:If it's unencrypted... by sunderland56 · · Score: 5, Informative

      It is a binary, not source code. So it's like having a file containing an image of naked ladies, but not knowing what sort of compression scheme was used.

      It was also written in forth, of all things. So it's like finally figuring out the compression scheme and decoding the file - only to find out that it is an image of naked lady *martians*.

    5. Re:If it's unencrypted... by Anonymous Coward · · Score: 5, Funny

      Indeed. Anyone who has worked with any sort of Perl source code knows just how true your statement is. It's unencrypted, it's not (intentionally) obfuscated, and it may even have comments, but it's not human-readable, even after you've worked extensively with Perl for a couple of decades.

    6. Re:If it's unencrypted... by c · · Score: 5, Funny

      > It was also written in forth, of all things. So it's like finally figuring out the compression
      > scheme and decoding the file - only to find out that it is an image of naked lady *martians*.

      Er... you do realize this is slashdot, and to an entire generation of nerds who spent most of their post-pubescent lives lusting after Star Trek aliens, both real-live implementations of "forth" and images of "naked lady martians" are considered a good thing to find inside compressed, encrypted binary blobs?

      Stick with something safe, like car analogies.

      --
      Log in or piss off.
    7. Re:If it's unencrypted... by Anonymous Coward · · Score: 5, Funny

      Ever look at LISP code. Looks like fingernail clippings in oatmeal.

    8. Re:If it's unencrypted... by paramour · · Score: 2

      Pah, kids these days. Try TECO

      "It has been observed that a TECO command sequence more closely resembles transmission line noise than readable text. One of the more entertaining games to play with TECO is to type your name in as a command line and try to guess what it does. Just about any possible typing error while talking with TECO will probably destroy your program, or even worse - introduce subtle and mysterious bugs in a once working subroutine."
          -- Real Programmers Don't Use PASCAL

      The first versions of emacs were written in TECO, inspired in part by tmacs -- TECO macros.

      Or try APL. Uses a special character set, permits composed characters, assumes you know linear algebra, and reads right to left -- the epitome of a write-only language.

      Now get off my lawn.

    9. Re:If it's unencrypted... by Night64 · · Score: 2

      The first time I saw someone coding a MUMPS program, I figured that it was just a memory dump.

      --
      Grey's Law: Any sufficiently advanced incompetence is indistinguishable from malice.
  2. Seems like a waste of time by jbmartin6 · · Score: 4, Informative

    According to the article, almost nothing has been reverse engineered and at best you get "a hint of what data is being captured" from examining an unencrypted config file

    --
    This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
  3. android? by stoolpigeon · · Score: 3, Interesting

    why does a story about carrier iq have the android icon on it?

    --
    It's hard to believe that's how Micronians are made. Why don't we see it right now by having you both kiss one another?
    1. Re:android? by Culture20 · · Score: 3, Funny

      why isn't there an iPhone/iOS-related tag?

      Because Apple vowed that it was never installed, and that it was disabled by default when it was installed.

  4. So it's badly written & only helps the carrier by phonewebcam · · Score: 3, Insightful

    All it needs now is a $5 per Android handset "licensing fee" and you've got your smoking gun!

  5. Cough it up by PopeRatzo · · Score: 4, Insightful

    If you haven't done so yet this year, it's time to go donate a few bucks to EFF.

    I wouldn't bring it up if we didn't need them so bad.

    I'm in for another fifty, just because I saw this story and it's fucking Christmas and if SOPA passes we might as well kiss our Internet goodbye.

    --
    You are welcome on my lawn.
    1. Re:Cough it up by bcrowell · · Score: 3, Informative

      It's tax deductible.

      To donate by sending a check: 454 Shotwell St, SF, CA 94110

      Donate online.

      Good things they've done.

      --
      Find free books.
  6. Consumer Protection by sociocapitalist · · Score: 5, Insightful

    At the risk of being modded down, I think that if there is not already legislation to protect people from this type of spying then there should be.

    --
    blindly antisocialist = antisocial
    1. Re:Consumer Protection by tunapez · · Score: 2

      Protect? Surveillance and enforcement are much more profitable than privacy. Be glad the lawmakers are still calling the internet a 'right', any day it could become a mandate.
      This is the greatest spycraft tool and marketing assault ever conceived, all wrapped into the guise of bringing info to the masses!
       
      Throttled, vetted and sanitized info is the endgame if the entitled set get their way.

      --
      Imagination drew in bold strokes, instantly serving hopes and fears, while knowledge advanced by slow increments...
  7. collector/c info please by sgt+scrub · · Score: 5, Interesting

    Of course we hope people can also send us Profiles from Windows Mobile, BlackBerry, iPhone and "feature phone" ports of Carrier IQ.

    I'd settle for more info about "c" on the machines collecting data.

    grep -H https *.xml

    att-galaxy-s2-defaultProfile.pro.xml: UploadUrl="https://ciqcol01.ciq.labs.att.com:10010/collector/c">
    htc-amaze-tmob-defaultProfile.pro.xml: UploadUrl="https://oddca.t-mobile.com/collector/c">
    htc-evo-sprint-iqprofile.pro.xml: UploadUrl="https://collector.iota.spcsdns.net:10003/collector/c">
    tmob-galaxy-s2-defaultProfile.pro.xml: UploadUrl="https://oddca.t-mobile.com/collector/c">

    I was able to get ciqcol01.ciq.labs.att.com 10010 to respond with telnet; but, it dropped my connection when I sent GET/POST etc. The others didn't respond. I'm assuming they have been moved.

    --
    Having to work for a living is the root of all evil.
    1. Re:collector/c info please by Anonymous Coward · · Score: 2, Insightful

      Interesting. Port 10010 doesn't show up on a port scan but responds to telnet.

      host ciqcol01.ciq.labs.att.com
      ciqcol01.ciq.labs.att.com has address 216.103.127.200

      nmap -P0 216.103.127.200
      Starting Nmap 5.21 ( http://nmap.org/ ) at 2011-12-23 07:52 CST
      Nmap scan report for 216.103.127.200
      Host is up (0.028s latency).
      Not shown: 998 filtered ports
      PORT STATE SERVICE
      139/tcp closed netbios-ssn
      445/tcp closed microsoft-ds

    2. Re:collector/c info please by Anrego · · Score: 4, Informative

      By default, nmap only scans a subset of ports (first 1000 of all protocols or something).

      Try explicitly telling it to scan that port (using the -p option)

    3. Re:collector/c info please by LordLimecat · · Score: 2

      Just the 1000 most common ports. Hence why it says "not shown: 998 filtered", as well as the two showing up. There is an option which will tell it to do a full scan of all 65536 ports.

      Thats probably why they chose that port, incidentally-- gets missed on a casual scan.

  8. Re:Wikipedia article by MarkGriz · · Score: 4, Insightful

    Welcome to Wikipedia, the free encyclopedia that anyone can edit.

    --
    Beauty is in the eye of the beerholder.
  9. Still undiscovered versions out there? by meburke · · Score: 3, Interesting

    We know it's on android, but the article points to an earlier article that says, "In our post yesterday, we wrongly assumed that Carrier IQ was something that carriers added to smartphones — but now it’s clear that Apple bakes Carrier IQ into its closed-source iOS for use by carriers."

    This makes me suspicious that there may be a version in Windows-based phones, or other phones with different data OS' installed.

    --
    "The mind works quicker than you think!"
    1. Re:Still undiscovered versions out there? by LordLimecat · · Score: 2

      Im curious whether this is true of blackberry. Im still rather skeptical that RIM would take their supposedly security-minded product and then compromise it by including something like this in the stock firmware.

  10. I smell a class action suit by fred911 · · Score: 4, Insightful

    So not only are you possibly able to invade my privacy, but you're also charging me for the bandwidth to do it? I'm sure the TOS doesn't cover you for the later.

    --
    09 F9 11 02 9D 74 E3 5B - D8 41 56 C5 63 56 88 C0 45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
    1. Re:I smell a class action suit by AHuxley · · Score: 2

      I hope it wakes a generation up. So may thought the https as offered was safe via the trusted device and telco.
      This shows how many layers can sit between the users and the trusted network - open or closed in every phone shipped in parts of the world.
      Many noted it sends "nothing" back - but it still shows how easy it is to get a whole generation of devices shipped with any shipped or installed crypto dead out of the box.
      Where are the telco open source developers, former big telco contractors on this?
      All we got was ~ "its hard to keep a software secret in 'our' new open source world" or "https math is safe down the network"

      --
      Domestic spying is now "Benign Information Gathering"
    2. Re:I smell a class action suit by cnj · · Score: 3, Informative

      This may help explain why some carriers (e.g. T-Mobile) required an "unlimited" data plan for certain phones. Even though my wife only uses about 40 MB of data over T-Mobile's network a month, they want to require her to use the more expensive unlimited plan. If it's an unlimited plan, they aren't charging you for additional data transfer.

      Well, technically they might be, but not directly; and not legally. If that's really the reasoning, then they're just extremely evil and bad, bad people.

      --
      Never trust anyone over 90000.
  11. Of course by Anonymous Coward · · Score: 3, Insightful

    Of course there will be. The legislation will say "you may continue to spy as long as we get a cut".

    No, that wasn't a joke.

  12. More than just privacy by cybergremlin · · Score: 2

    My big problem with CarrierIQ has not been concerns over privacy (I just assume the carrier can see anything I send over their network) but the fact that it is both buggy and unstoppable. I was in the middle of nowhere when I noticed that my Atrix 2 was nearly dead (I had charged it that morning). Checking the battery monitor showed that "Device Health Applicaton" had sucked down 80% of my battery, and had been using GPS for 6 hours strait. Of course you can not force it to quit, que stream of [explative-deleted]. I was able to stop the bleeding by switching off GPS, and a cold boot restored functionality. Still, having an application that can murder performance, but that you can not kill or remove, seems like bad form at the very least.

  13. Re:Wikipedia article by mcgrew · · Score: 2

    Welcome to Wikipedia, the free encyclopedia that anyone can edit, even though your edit won't last 24 hours.

    --
    Free Martian Whores!