Feeds

back to article BUSTED! Secret app on millions of phones logs key taps

An Android app developer has published what he says is conclusive proof that millions of smartphones are secretly monitoring the key presses, geographic locations, and received messages of its users. In a YouTube video posted on Monday, Trevor Eckhart showed how software from a Silicon Valley company known as Carrier IQ …

COMMENTS

This topic is closed for new posts.

Page:

Bronze badge
Pint

Oh well,

back to carrier pigeon for me then.

Seriously though, WTF!? Has anyone had a play with the iPhone to see if St. Jobs has snuck something similar on his gadget? Wouldn't be surprised (sadly) after the 'consolidated.db' fuss.

35
29

This article has nothing to do with iPhones. While all phones have their flaws I don't understand why you feel the need to try and hijack this comment thread to attack apple.

36
55
Thumb Up

Ahh yes, the redoubtable IP over Avian Carrier (IPoAC, rfc1149). Although I'd probably opt for IP over Avian Carriers with Quality of Service (RFC2549).

It's bandwidth is pretty impressive (how many 32GB micro-sd cards can you tape to the leg of a pigeon?) but it's latency is a bit high for a MMORPG let alone a FPS,

20
3

Pretty typical fandroid response there - millions of Android phones potentially compromised and the first thing you can say is "ah, but the evil iPhone must be MUCH worse.."

Of course it must. Google is your best pal after all, I'm sure this is all just some misunderstanding... Just thank god you don't have one of those AWFUL iPhones eh..

37
39
Silver badge
FAIL

Grow up, itards!

I'd expect this to have been found a long time ago it if were present on iphones, but it's taken a while to come to the fore on android. However, since the article doesn't say this doesn't exist in iphones, it's legitimate to wonder if it's been found not to exist or if it's not been tested. The commenter even gives a reason that we should wonder about it - it's not out of hatred, envy or anything! Asking that question is not an attack on apple, and it's not a claim that apple is better or worse than anyone else. Just grow up!

33
16
Anonymous Coward

RTFA

The article says that while it was demonstrated on an Android handset software from the same company with similar functionality is present on Blackberry and Nokia handsets too. Parent asks, not unreasonably, whether anyone has checked whether it is also on another rather popular phone model.

28
5

Not Google??

I was under the impression this is not Google's software, rather a 3rd party package..

I would think its more mobile carrier integration rather than HTC, Samsungs, etc but I could be wrong. Its not on my sim free Desire Z with stock firmware..

6
0
Boffin

wasn't there an RFC for...

Main Battle Tanks with big '0's and '1's painted on them?

0
0
Anonymous Coward

The proof there's not such thing like this installed on iPhones

No one as yet called this RootkitGate.

1
0
Silver badge

aye

seems reasonable to ask if the iphone has similar software. I read from the article that it is the carrier not the core OS that has installed/configured this.

13
2
Anonymous Coward

oh dear

How can you trust anything running android, it's broken by design. Woulnd't touch it with a barge! And runs like a slag too unless you have a 4 core.

5
36
Anonymous Coward

Actually, he said I'm going back to carrier pigeons so quite clearly he finds it pretty abhorrent, and merely wondered what Apple had snuck in. To be honest, I don't blame him for wondering.

Either way, the referring to anyone as a Fandroid really doesn't come across as a very neutral ... if you were attempting to go for the moral high ground of course.

Of course though, who fsking cares. It's a phone. I got bored of iPhone jabber from friends years ago, and now Android is growing quickly, now I have to endure endless shlong waggling about what is best. I tend to buy Android phones, though not exclusively... I buy what I like and fits my needs. I really don't care about anyone else.

7
4
Anonymous Coward

There's a good reason it's not called RootkitGate. Because suffixing anything with 'Gate' in the press is idiotic, and however brought it back should be taken outside and thoroughly shoed.

8
0
Anonymous Coward

@AC 12:40

Oh come on you can't blame Android for it's phones needing a four core processor to work properly.

Obviously the problem is they have all this spyware working in the background, that's why people find they work a lot faster after being flashed with a custom ROM.

Sucks if you don't custom ROM it though, but that's the users' own fault for being dumb.

6
30
Anonymous Coward

a very quick google search returns a lot of results of "iphone packet sniffer" so i'd suggest that if it was possible for some developer or carrier to get some malicious software like this installed onto an iPhone, someone would have already found it and there would have been a lot more shouting and accusing going on by the Androiders.

As I understand it, the only way to get this level of reporting on an iPhone is to either be Apple, or to have jailbroken your phone and then installed some dodgy piece of homebrew.

2
0
Anonymous Coward

Fandroid is so passé, their new title should be Hemorrdroid by the discomfort they cause to everyone around them.

7
9
Silver badge

@Danny 14, etc

The poster appeared antagonistic because of his statement that he "wouldn't be surprised (sadly) after the 'consolidated.db' fuss."

The consolidated.db was a file on iPhones that cached information for location services. It was synchronised to your computer via iTunes. Due to a bug in the first few iterations of iOS 4 it accumulated data indefinitely rather than merely caching recent data. As a result, if a malicious user had access to your computer then he could extract a history of your movements going back to whenever you started using iOS 4.

That information wasn't collected for any purpose and it wasn't forwarded to anyone. In other words, it's completely unlike the application in this story, the offensive part of which is that it's deliberately collecting data and forwarding it.

So to say "I wouldn't be surprised if Apple have taken a deliberate conscious decision to monitor how its customers use their phones because, you know, they made a coding error once" is so nonsensical that it could be construed as deliberate flame bait.

Probably it's just that if you don't use an iPhone then you wouldn't pay that much attention to the specifics of any particular bug — the original author was correctly aware that the iPhone had previously made it possible for third parties to monitor users in some way and had incorrectly assumed malice.

9
6
MrT
Bronze badge

But...

...surely Haemorrdroids would have been soothed by Preparation H(oneycomb)??

3
0
Silver badge
Coat

That's right...

...pile on the agony...

Coat & taxi, please

2
0
Anonymous Coward

"Sucks if you don't custom ROM it though, but that's the users' own fault for being dumb."

What a petty, arrogant little tech-snob you are? People want a phone, they would like it to work properly and they do not have time to take a 6 month course in Unix just to be able make a few phone calls, send a few SMS and sling a few birdies around the screen when killing time.

Perhaps we should get some people in to laugh at you as you most likely cannot crochet an intricate lace doily, plan and cook a 6 course meal for 30 people or play Chopin to concert standard, 'because "it's your fault for being so dumb"!

32
5
Anonymous Coward

@AC 14:27

But's thats what expected with Android isn't it? I don't really know, just read the comments around here.

Reminds me a bit of that old joke:

Linux Air

Disgruntled employees of all the other OS airlines decide to start their own airline. They build the planes, ticket counters, and pave the runways themselves. They charge a small fee to cover the cost of printing the ticket, but you can also download and print the ticket yourself.

When you board the plane, you are given a seat, four bolts, a wrench and a copy of the seat-HOWTO.html. Once settled, the fully adjustable seat is very comfortable, the plane leaves and arrives on time without a single problem, the in-flight meal is wonderful. You try to tell customers of the other airlines about the great trip, but all they can say is, “You had to do what with the seat?”

Full list here: http://www.linuxscrew.com/2007/10/07/fun-linux-unix-windows-os-x-and-dos-airlines/

9
1
Anonymous Coward

Preparation H(oneycomb)

didn't seem to work well enough, probably it was already too irritated from all the Ginger(bread)

If only manufacturers came out with Ice (Cream Sandwich) quickly enough.

1
0
Coat

Sorry to rain in your parade

but he is right. Best thing what happened to my HTC Desire was the Oxygen V2 Custom ROM and it's pretty easy to install. Ok, I've got some 20 years experience in Unix and some 30 with computers, but I used a prepackaged kit on Windows to install it with a few mouse clicks. I use computers because I'm lazy :)

Mines the one with the key to the room with the big shelf with system 7 manuals.

1
1
FAIL

It's not the user's stupidity

If a custom ROM is not available for their particular phone model. I would love to add Cyanogen to my LG Optimus S but it is not available. There is a community-developed version but it appears to still be in Alpha and I am not willing to brick my phone because it is ALLEGED there is spyware installed by the carrier on it.

0
0
Facepalm

It isn't the phones

This is software that the phone companies add to phones on their network. Probably in the phone software, but it might even live in the SIM card?

The only customer testimonial on their website is from a 'Tier 1 Carrier' saying how much money they save with this monitoring software that 'can drill down to individual users' and provide detailed network traffic data. They use it to decide where and how to provide more capacity and quality of service where it is needed, apparently.

2
0

@Volker Hett

So how do you know that your custom ROM hasn't been "touched" to run some other nasty sniffer stuff in the background, and send 100 SMS to Angola while you are asleep? In fact there is no limit what it can do! I am sure most of the stuff is OK but there is a big IF.

1
0

This post has been deleted by its author

Bronze badge
Pint

Sensitive bunch, aren't we?

I am neither an iPhone or an Android fan - I have a cheap mobile phone for calling & texting clients and friends, & thats all I give a shit about for a phone. I was merely musing on the general culture of Data-harvesting these days, that it seems to be endemic & increasingly invasive and surreptitious, regardless of platform. Jeez, what a jumpy bunch! (I'm sure this post will invite a few shots as well, so for those who feel the urge rising, may I suggest counting to 10?)

3
3

simple

really paranoid people delve their own ore, smelt it , make resistors, capacitors and ic's out of it solder all of that together and then write the phone's firmware using two buttons that allow them to type 1's and 0's.

then, and only then can you be sure...

1
0
FAIL

not so fast...

bummer for you... http://www.theverge.com/2011/11/30/2601875/carrier-iq-references-discovered-apple-ios-iphone

1
0
Anonymous Coward

Not so fast 2

Not really a bummer, on iOS it works as it should: you can disable it via Diagnostics and Usage and it logs minimal information, not every keystroke you make...

0
0

@Spud2go

"Has anyone had a play with the iPhone to see if St. Jobs has snuck something similar on his gadget? Wouldn't be surprised (sadly) after the fuss."

Firstly, just to get it out the way, as others have mentioned this is to do with carriers. Secondly, this is a very different kettle of fish to 'consolidated.db' - not saying that incident was brilliant but I think most would realistically say that this one is a heck of a lot more serious.

Anyhoo, in answer to your question, yes they have - see http://twitter.com/chpwn however, various people online have written up this research in a quite readable way. At the moment, it likes like very little information is being gathered on iOS - e.g. tower strength - and it looks look it ties in with Carrier IQ's statement. I know some will say, and it's a good point, that any information is an issue, but there's nothing like keylogging going on.

Also, with iOS, it appears that you can make sure *nothing* is sent to Carrier IQ - users need to go to Settings → General → About → Diagnostics & Usage and make sure "Send Automatically” is switched to off (if switched on, the device will send diagnostics & usage to Apple).

Incidentally, it's reported that the Google Nexus One, Nexus S, Galaxy Nexus, and the original Xoom don't have Carrier IQ installed - http://www.theverge.com/2011/12/1/2602313/google-nexus-android-phones-and-original-xoom-tablet-do-not-include

1
0

This is a problem!

With Oxygen V2 I trust peer review and AdamG himself, but with apps and third party markets I'm paranoid.

0
0

ip over Main Battle Tank?

>wasn't there an RFC for...

>Main Battle Tanks with big '0's and '1's painted on them?

Sod that, terrible bandwidth, awful latency, and a QOS rating of terrible (MBTs are easily immobilised if you know how. With not hard to obtain materials

0
0
Thumb Up

Re: wasn't there an RFC for...

That would probably be RFC 1217

http://www.ietf.org/rfc/rfc1217.txt

0
0

project much, fanboy?

http://www.theregister.co.uk/2011/12/01/ios_has_carrier_iq_client/

0
0
Bronze badge
Pint

@ Euchrid

Thanks, already read up on the current discoveries - hard to avoid really! Interesting whats coming out after my first comment - also intrigued by the range of reactions to it!! If you read my second comment (about 4 above yours) I think you'll see that I don't care about device platform - a phone is a phone is a phone for me, a utilitarian thing that affords me a certain amount of convenience. That I thought out loud about the iPhone harbouring similar "features" was, in hindsight, always going to be bait to the faithful - nonetheless, it was a relevant musing that could relate to any communication device. The iconic iPhone was simply the first alternative that came to mind. Thanks for your efforts & the info - nice to see an enquiring, level-headed approach to the subject.

1
0
FAIL

LOL

Some serious egg on face from the Apple crowd here today.

Their holier than thou approach has turned sour as it transpires every single iPhone ever made (with the possible exception of the original iPhone) has Carrier IQ build right in as standard regardless of which network you bought your phone from, or which country you live in:

iOS 3: /usr/bin/IQAgent

iOS 4 and 5: /usr/bin/awd_ice2 or /usr/bin/awd_ice3

This is clearly much worse that the situation where SOME Android/Blackberry/Nokia/WebOS phones had it....

That said however, the whole thing is yet another storm in a teacup... But it makes me laugh when iPhone "protectors" are made to look like total retards yet again.

0
0
FAIL

@Barry Shitpeas

Good thing you waited for the story to play out before getting on your shiny bandwagon. Egg on face? From that article:

"Update: chpwn notes that initial research indicated that Carrier IQ's software may only be active when the iPhone is in diagnostic mode. In a blog post, chpwn confirms that, based on his initial testing, Apple has added some form of Carrier IQ software to all versions of iOS, including iOS 5. However, the good news is that it does not appear to actually send any information so long as a setting called DiagnosticsAllowed is set to off, which is the default. Finally, the local logs on iOS seem to store much less information than what has been seen on Android, limited to some call activity and location (if enabled), but not any text from the web browser, SMS, or anywhere else. We'll let you know when more details arise."

Which do you think is worse now?

0
0
Linux

@Metavisor

Nobody's buys into astroturfing posts by MS "technical evangelists" any more, since James Plamondon, your first boss, did his mea culpa.

Your data joke about an open-source airline merely means that you haven't seen, run or used a Linux distro since 2000. I find it interesting that the KDE4 desktop is so powerful, beautiful and easy to use that Win7 copied it from installation screen to desktop design. Imitation, the sincerest form of flattery.

0
0

Re: It isn't the phones

The issue is that, effectively, each carrier has a monopoly on phones that work on their network. I'm sure this would have come up before had we been forced to purchase laptops / PCs from our ISP. Since phones these days use software defined radios, my guess is that the difference between a iPhone 4 for one carrier and an iPhone 4 for another carrier is a simple reprogramming of an FPGA chip so that it speaks a particular carrier's transmission protocol. Really quite ridiculous that the carriers are allowed to control the cell phone market as they do.

0
0
Silver badge
WTF?

Oops!

It was a rogue programmer who done it!

Shame on that bad programmer who accidently did this slightly illegal act...

Oh did I say it was slightly illegal?

That was sarcasm...

12
0
Anonymous Coward

Legality

Is this even legal in the UK (or EU)? Surely this qualifies as interception under RIPA for starters, and it is clearly not with informed consent of the user. Maybe about time the rules made quite clear what exactly you can and can't bury 622 paragraphs down in T+Cs and still take a punt at claiming you have consent. Being spied on for gain should never, ever be a permissible condition of taking a service.

Perhaps the carriers would like to explain explicitly what uses they put the data to?

39
0
Bronze badge
Unhappy

Is it used in EU?

This would be very clearly illegal in my country (Finland), and I am pretty sure in most other EU countries as well. This is after all a place where even web tracking cookies are illegal in principle. But I wonder if the software even appears in Europe? I got the impression from some articles that this is something some carriers put on phones they supply in contracts, and would not be in handsets not from carriers. If so, it is the carriers that would take the heat.

10
0
Anonymous Coward

Hehe

They will be the next ones after Intel contributing to the Euro salvation benevolent fund.

Pity it will not be a similar amount of money.

1
0
Silver badge

A quick google leads me to believe it's only installed on handsets (not just android handsets either) sold in the US. Lucky them...

12
0

@macrorodent

so far I haven't found it on my phone: HTC Desire originally from O2 UK.

0
0

EU says yes, UK Gov says no..

If this is anything like the Phorm case, you'll find that the EU says yes, this kind of interception is banned by the EU Directive on communication, but our government says that RIPA (which is partially based on the EU Directive on communication) doesn't apply, as it only applies to government organisations.

Personally, I agree with the EU (my understanding is that where our law conflicts with EU law, EU law is the more powerful), but our government appears happy to side with anyone who bungs it a couple of billion for a comms licence.

I also don't see why any software that is designed to monitor network quality needs to send anything back other than signal strength numbers, the time and duration of any significant spikes and drops in signal strength, number of calls dropped and the cell ID (not as a crafty way of tracking your location, more that if a Cell goes tit's up, they need to know about it).

4
2

RIPA protects you from 'the state' not private companies.

1
1
Silver badge
Big Brother

Well,

IMHO we have far more to fear from the state than from private companies.

Private companies - even at their worst - are just after money.

The State, however,.....

3
1

Page:

This topic is closed for new posts.