Blogger and iPhone hacker Chpwn believes that the controversial Carrier IQ software isn’t confined to Android devices. In this blog post, he says a look at the /usr/bin folder reveals Carrier IQ’s agent software, identified as IQAgent in iOS 3, and either awd_ice2 or awd_ice3 on iOS 4 or iOS 5 devices. At this point, Chpwn …
Were you when Android was found using it?
Why? This is how a diagnostic tool should behave, not acting like a rootkit and capturing everything you do on the phone.
Carrier IQ would be in no trouble if they had done the same on Android as they did on iOS.
Maybe they tried, but Apple just wouldn't have it?
just wondering..... why the hell are cooperate entities interested where we go and what we look at? Advertisement? Aren't they spending way too much on advertisement instead of improving their products?
any way.... why the hell is this legal? even if it is included in the "privacy agreement/policy", that is not enough. The user need to be told to his/her face that this will be done so that they can make an informed decision.
I wish all the entities I deal with would co-operate.
Had a look at the diagnostic logs on mine (iOS)
And there's no record of where I went or what I looked at.
Just how many SMSs I sent, how many calls I made (not to whom), how the battery performed and some radio power parameters.
Hardly shocking stuff. As a developer myself I expect they would need this sort of information to figure out any problems, but I can turn it off if that's still not ok.
Check the settings
You can see the data sent from the iPhone by going to
Settings > General > About > Diagnostics & Usage > Diagnostics & Usage Data
And you can switch it off by selecting the Don't Sen option.
but at this stage, a user might not be sure whether they can trust the user-settable options to actually do what they seem to offer.
I would have expected an opt-in instead of an opt-out to be honest....
IIRC you are asked when setting up your phone if you want to opt-in to sending diagnostics.
I saw one twitter post that claimed the only phones which did not have the software installed were running WP7 and Maemo but some carrier specific N9 firmwares did. Is there anyware to confirm this?
"Even voor alle duidelijkheid: Nokia installeert GEEN CarrierIQ op haar producten"
Translation: "Just to make this clear: Nokia installs NO carrierIQ on it's products"
Don't they all deny it?
Hardly think a tweet from the "Communications Manager, connecting Nokia and people in Benelux. " is enough to prove anything regarding CarrierIQ on Nokias...
First rule of twitter is don't believe everything you read on twitter...
Sony Ericsson appears to honour the opt-out
Haven't worked out who supplied the QC monitor on my SE Android phone but it does seem to be honouring my 'send anonymous usage stats' opt-out. No sign it's running at all. I don't normally trust anything with Sony in the name but the Ericsson guys seem to actually have a clue about doing things right.
Might just go ahead and delete it anyway, a bit more free space to move apps into ;)
This spyware is not ready yet!
And even if you DO believe the Nokia rep,
that doesn't mean the company selling Nokia's doesn't install it after the fact.
Nokia have confirmed that they don't use Carrier IQ, but...
However I'd like to know what Nokia Analytics Collector in the Symbian Anna update 2/2 does. They haven't exactly gone out on a limb to explain that.
> I saw one twitter post that claimed the only phones which did not have the
> software installed were running WP7 and Maemo
That post was incorrect. It was posted by someone who did not know the extent of the problem.
Strange, that - someone on the Internet posting bollocks...
Cyanogenmod on a Samsung is looking better and better.
From what I've read it's only carrier branded phones and only in the US - there are (AFAIK) no reports of european phones with it installed.
Also not nexus phones - because they're not carrier modified.
TBH though it's all a storm in a teacup - it's never been demonstrated that this software logs anything significant.. a debug log is not sufficient evidence - show the tcpdump output with it actually sending data it shouldn't.
I think the storm is mostly because this was deeply installed and hidden, with no way to turn it off on the Androids that have it.
Then Carrier IQ didn't help themselves by not coming forward clearly.
A great man once said, "The price of freedom is eternal vigilance!"
"it's never been demonstrated that this software logs anything significant"
Granted that's true but can you, for a second, imagine how much all that sort of diag type info would be worth to marketing companies? Imagine the millions of people walking about with mobiles in just the US alone, all giving just a enough info to allow targetted advertising to be a worthwhile reality? Sickening is what that thought is. However I can imagine a few marketing execs wetting their seats at the prospect of the huge pay-day that sort of info could fetch!
That's why it needs to come out, so others don't get ideas about collecting our data without letting us know first, this sort of shitty "app" needs destroying BEFORE people get any more stupid ideas.
Let me correct that for you.
If iOS contains it then its not just limited to carriers - no carrier can meddle with iOS.
For Nexus see above. Until each Nexus manufacturer or Google confirm it we cannot be sure no Nexii have it.
Its not a storm in a teacup. Its Never been demonstrated that the data is Transmitted, until this is confirmed or denied we dont know if this is a squall in a thimble or a hurricane in Soup Tureen.
Let me fix that for you:
"...it's never been demonstrated that this software logs anything significant on an iPhone..."
It has been demonstrated to log all keystrokes via SSL connections on Android. If that isn't significant, I don't know what is. And the caution here is that yesterday the Mactards were saying it wasn't on the iPhone at all. Today the investigator says it is there, but he hasn't located anything problematic. Apparently he hasn't looked extensively at the installation yet, so a deeper inspection might find something which has been obfuscated. Note that I'm not blaming Apple if there is, just as I don't blame Google for the Android problem. This problem belongs squarely with the carriers who install the software and don't tell punters what they are doing.
Maybe you should read the original piece?
In which there'a video of the guy using tcpdump (what a shock!) live capture which shows his phone uploading every digit press on the phone pad, every query to google, even the HTTPS encrypted ones and even every incoming text message.
Is that enough evidence for you or are you just trolling?
Do you know what *tcpdump* is? Because that guy WAS NOT using tcpdump but just adb logcat. It means that there is still no proof that your HTTPS URLs are actually sent anywhere.
Where is the independent confirmation? (Again)
Where is the independent confirmation CIQ is recording personal data? ANYBODY can make an edited video and post it on the net. I would think by now Reg readers would have the sophistication to understand seeing is NOT believing because videos and photographs can be Photoshopped or edited to make anything appear to be happening. How many "Internet videos" have the Mythbusters debunked, for example?
Without INDEPENDENT duplication of the results, preferably by another method. It is just a tempest in a teapot and unworthy of belief.
> there'a video of the guy using tcpdump
Are you sure about that?
The video I watched (several times...) showed someone looking at a debug trace. I didn't see him using tcpdump.
But every keypress was captured, every URL as well :-(
Change your ROM
Metavisor, there is a way to remove carrier IQ, and all the other sh*T your carrier has foisted upon you ROOT and clean 'em out yourself or install a custom ROM. SImples!
Exactly what a diagnostics tool should do
1) It can be easily turned OFF or ON
2) You can see exactly what was sent was sent if on (it shows up under "Diagnostics & Usage data", if on you'll have a ton of awdd_* reports there)
3) When ON it records only the essential information, doesn't need all your keystrokes and URLs, or even phone numbers you dialled.
What I can't understand is why the Android version was made to be so intrusive.
Installing iOS 5 asks you upfront - would you like us diagnostic data?
If you never knew it was there until someone told you, how is it intrusive?
I nip round your house everyday while you are at work for a mooch through your stuff.
1) I don't take anything
2) You didn't know I did this until now
Which means it is
a) OK (As I'm not taking anything)
b) Not intrusive (as you didn't know about it until now)
More reason if any were needed to buy a sim free phone. When you work out how much a smart phone on contract costs these days its not like you're saving any money anyway.
Granted but not all of us have the 500 sovs upfront for the latest Apple or Samsung smartphone, easier to add £150 quid on the price and pay on the tick for the next 2 years!
This stuff runs on iPods; the data gets sent to Apple, not the carrier
SO like, why not get an older phone then?
I'm still using a Samsung Jet (which is what, over 2 years old now?) and it. just. works. Has a touch screen, supports web & e-mail, has office-like features (agenda, notebook, etc.) and can sync itself to stuff like Outlook 2010 (with a little fiddling).
Its not as if those older devices suddenly stopped working or something...
I've been using my Missus' old second-hand iPhone 3G for the last 13 months, unlocked it and used it on a PAYG sim. The screen got smashed about 2 weeks ago and I just really fancied treating myself to something new for a change, so I paid half the cost of a Galaxy S2 phone and got a cheap monthly contract from O2. Normally I wouldn't bother, I've made do with a cheap £20 Alcaltel from Argos on PAYG for 6 months prior to getting the second-hand iPhone.
I wasn't bemoaning the fact, simply pointing out that if you want ultra new and shiny it comes at a price, we all have to decide when the how much is too much.
Fan, Shit, Hit
Nothing from the American Firms to give us the warm fuzzies about this nonsense? Sprint???
How illegal is this in the EU?
I'm thinking that if it is confirmed that this software has been installed on any phones sold in the EU, then it will be curtains for carrier IQ and serious financial damage to any network that supplied a phone with it installed. The EU is hot on privacy ... and right now it needs every last cent it can lay its hands on.
It's reports like this...
... that make me glad SIM-locked phones are so much less common across mainland EU.
@The Fuzzy Wotnot: there's this concept called "saving up" you might want to look into. Taking out yet another loan is increasingly frowned-upon of late.
Believe it or genius, if everyone suddenly stopped borrowing money the world's financial systems would disintegrate in a matter of days with zero hope of reprieve. Borrowing is what keeps the world's financial systems afloat. The system breaks down when you lend money to those you know cannot possibly pay it back and sell that debt to someone else, playing pass-the-parcelbomb, ala the US sub-prime mortgage fiasco. If some form of bond can be put up to secure the loan, no matter how large from a single mobile phone to national GDP sized, then financial institutions lending money will ensure you still have a job to go to tomorrow and not find yourself in a real life version of the Fallout 3 game!
Ask your bank
Given that so many financial institutions pushing people to use their phones for banking etc.. the smart thing to do is ask them if it secure given this information.
You really need to stop mentioning the SSL stuff
You're just embarrassing yourselves. SSL protects the data during transport. This happens way before then, this is not even part of the communication stack. This is logging key presses, nothing to do with transport.
To be honest it draws the credibility of this Eckhart chap into question given that he felt it was important to point out. He should have made it clear that SSL isn't intended to protect against this sort of situation.
who needs credibility
when it sounds better for the cameras?
I am forever glad that I don't own a cellphone of any kind. I used to, 5 years ago, but I found that being permanently "connected" was actually quite intrusive. People knew they could get hold of me, even if I didn't want to be gotten hold of.
If I dared turn it off, I got interrogated. "Why was your phone off...", so I decided to bin cellphones entirely, and don't regret it, ever.
Sure I get a weird look when I tell people I don't have a cellphone, but who cares?
I was cellphone free for about 3 years, and didn't really miss it either. Only got it back when the oldest son started driving. Once the kids are grown and gone, the cell will probably go back into a drawer.
Silence and disconnectedness are vastly under-rated these days.
... except the problem isn't the phones, it's the people. Enola Gay didn't fly itself.
I make it clear that I own a cellphone so that I can get hold of people, not so that people can get hold of me. Codependents are got rid of (sometimes forever) with the simple question "What part of 'Please leave me a message' didn't you understand?"
There's one exception. I have always refused, and will continue to refuse, a work mobile; I insist that the office contact me on my personal mobile. They are then far less likely to think they have the right to call me out of hours. One company gave me one even when I had refused it, so not only did I keep it locked in a desk drawer at the office whenever I wasn't at work, I told them I was doing so. They didn't complain.
- Pics Whisper tracks its users. So we tracked down its LA office. This is what happened next
- +Comment Trips to Mars may be OFF: The SUN has changed in a way we've NEVER SEEN
- OnePlus One cut-price Android phone on sale to all... for 1 HOUR
- MARS NEEDS WOMEN, claims NASA pseudo 'naut: They eat less
- UNIX greybeards threaten Debian fork over systemd plan