Carrier IQ VP: App on millions of phones not a privacy risk
More than 48 hours after a software developer posted evidence Carrier IQ monitored the key taps on more than 141 million smartphones, a company official has come forward to rebut the disturbing allegations. And he's provided enough technical detail to convince The Register the diagnostics software doesn't represent a privacy …
The fact that they are logging *ANY* of this information is a security risk. What prevents any other application on the device from reading the log?
Also, has their "SMS API" been audited to be sure it's secure?
The truth lies in the middle ground between the security research industry's perfectly-valid fears, and the company's adamant denials. Ignorance of the law is not a defense. CarrierIQ did a lot of things wrong.
Ciq have done very little wrong.
It's the carriers and vendors who have installed it on the phones without clearly asking for an opt in who are to blame.
To use the analogy of the fishing net again - what would bothers me is if the size of the holes in the net can be updated dynamically over the air thus turning minor monitoring into major.
If they are listening on nearly every Android "Intent" there may be other choices besides SMS to make this application do things that were not intended by its creator.
"What prevents any other application on the device from reading the log?"
What prevents another app from doing the same or worse than what CIQ is doing? The "log" you speak of would have less information that the source of that information, the handset itself. As for what keys were pressed, if the software that could read CIQ logs were installed, it could be a keylogger itself.
What did CIQ do wrong?
1) They didn't install the app, the carrier did
2) The carrier asked CIQ for this app
3) The servers are controlled by carrier
4) The carriers already save the SMS messages anyway
5) It it not a keylogger
And it is called Keytracer (+IQ Agent Service) on my SGS II from Sprint
Also, if you check the video then you will see that keylogger logs *all* key presses all the time.
Could you tell me why the CIQ application logs my keys? You do know that Verizon does not preinstall the application, right?
Following your logic HP, Dell and others should install keyloggers on each and every Windows 7 machine that they produce in order:
- to deliver better service when something is not working, so their support center can know right off the bat what is going on;
- to monitor what applications people prefer so manufacturers can create better user experience by preinstalling them;
- to monitor your location in order to give you region specific offers;
- etc.
In US it is called *wiretapping*.
They are still intercepting communication the user reasonably expects to be secure.
The Android permission model protects the device from these kinds of privacy invasions in a normal scenario. This application not only bypasses that, but also logs the data in an insecure manner so ANY APP CAN READ IT. Not good practice, because now, even if CarrierIQ is telling the truth and they are behaving in a trustworthy manner with our data, they have just exposed the device to the point where anyone else can see what they saw.
Yeah and Phorm was just supposed to gather some vague info for some basic advertising, ensuring the user knew about it!
Stop believing the shite these corps spew you muppet!
in their product. And they can send that information back to base whenever MS program it too.
Now, in the case of MS, the programming interrupts the send to request your permission, which makes it legal. It may be legal for the carriers as well. The permission may be buried in the legaleese most of us breeze through when we sign the contracts.
The issue I see for the phones is that for all the holes in MS software, they are better separated than the stuff on our phones, which makes this a bigger security threat, even if it is intended as a purely diagnostic tool.
We're told that Carrier IQ acts upon messages from outside. It's be interesting to know what sort of instructions it can be given and whether this backdoor could be exploited by someone hostile. Criminals and governments would love to gain control of a built-in rootkit. I can see people wanting to install software firewalls in phones as we've seen with PCs.
Or is this guy so full of shit that it's spewing out of his ears?
Even if what he said was true to any degree - it's still another layer of bullshit software monitoring almost every event, which will add latency and load to the phone, even if it is only minute.
It's wholly unnecessary. If it was to measure quality of service, it wouldn't need to log any SMS or button presses. It could simply log location based on triangulation of GSM towers, and the strength from those towers. Maybe it could log an event where a call gets dropped without pressing the end call button, then your approximate location based on the GSM tower triangulation.
That's about all I can think would be reasonable, at most. Why it needs to receive information about everything else I don't know. I still wouldn't want it, but at least it would be defensible.
And that's why software configuration management and runtime configuration exists.
Maybe Verizon et al. haven't yet fully gotten arround to that.
Reg: "His version of the software has been confirmed by Dan Rosenberg, an Android security researcher who has reverse engineered Carrier IQ and examined the underlying machine language."
The World And His Dog needs an interview with that guy, too.
CarrierIQ: "To prove that's the case, we've brought in security consultants to take a look at our code and take a look at what we're doing and validate it."
That sounds pretty legit to me.
Yes, CarrierIQ needs to talk smooth, but that's understandable -- they suddenly have to deal with bored senators, a busybody FTC, four lawsuits, bad press, irate progressives demanding "ANSWERS, MAN" and people who think capturing a keycode is spying?
(Meanwhile, didcha know that the US senate okayed military detention of Americans without charges or a trial, even if snapped up on a random street of the homeland? Is it in the news?)
What about call failures when there is 5 bars? You can have full strength and still have a call failure, garbled voice, etc. You can even have a call setup failure; this no end call button pressed.
Take an Android phone, Google has all your info, it logs every AP and the MAC address it has and reported it to Google. My AP's are known by Google and yet never has an Android device been connected to them.
@DAM
It's entirely possible for the senate to be wrong about detention and right about phone snooping. The detention debate is irrationally distorted by the hysteria of the War on Terror.
But why slow down every phone and create a possible security risk to hunt down rare occurrence that no one has even reported? Why not wait till a user has a problem, as them to put some diagnostic software on their phone and, when the problem is found, get them to remove the software?
We have:
- Software that the provider claims is safe, but we only have his word on it.
- If the software is safe at the moment, who is to say it won't have more ominous uses later.
- And, what is to stop someone hooking the calls in this software, so their own code does not show any intercepting code?
All still a bit nasty sounding to me
are problematic to solve are the intermittent ones. Ones where the software has to be installed before the event happens, captures the data, and delivers it to the troubleshooters when a good connection is available.
That doesn't mean it doesn't comes without security risks. I'm in the camp that says users should be appraised of those risks and allowed to decide whether or not to provide the info.
Sorry, but I have to say bullocks as they say across the pond. The data sent to carriers is much more than just radio and device performance information.
I have researched and had confirmed by a source at AT&T that they get info on app usage including ALL side-loaded applications, use it to determine who uses tethering (and if that's anonymous, how are they targeting those that tether for the warning emails & letters?), they also get information on the ads you view & how you respond to each ad.
So, how did they convince you? Did you look at any of the code yourself? Are you just taking the word of a Coward? (sorry couldn't resist that grapefruit hanging there in the air.)
> I have researched and had confirmed by a source at AT&T
Pics or it didn't happen.
Also, you may want to take your questions up with AT&T and Verizon, as these are really the interested parties.
"I have researched and had confirmed by a source at AT&T that they get info on app usage ..."
So you didn't read the bit where he said "We have others . . . where they get an upload once a day that will contain information about what applications you've been using."
Thanks, on behalf of some of us across the pond who don't know the difference. To clarify for my fellow Yanks: "Bollocks" is British for "bullshit", or "horse hockey"; "Bullocks" is a reference to a skinny overrated movie actress.
... on both counts.
As a Bertrand Russell once said: ‘It is a misfortune for Anglo-American friendship that the two countries are supposed to have a common language’.
Please show us. So far we've seen a video of a dev reading a log file over USB. That's it. All this hoo har, all these accusations - dragging down Carrier IQs rep. And no one has provided any proof yet that the data is really being sent off anywhere.
The data being TEMPORARILY logged is no different from the data in your regular sms inbox, sent items, browser cache etc.
Chapter one: Who gets the scapegoat ?
So these carrieriq guys are pointing at the operators ("the data is commissioned by the operators"). This is backed up by at least one Operator; looking back at the previous article 'Sprint' basically confirmed the whole thing: "Carrier IQ provides information that allows Sprint, and other carriers that use it, to analyze our network performance and identify where we should be improving service.".
Quite frankly I think they're telling the truth. Its already a given fact that operators will do anything to 'force' customers to stay with them, think about locked down cellphones for example. So within that context I tend to give these guys the credit of the doubt, even though I strongly spoke against it in an earlier thread.
Unfortunately we can't be sure for now. Its a proven fact that privacy sensitive data leaves the phone; but where its going is a mystery so far. My bets are on the operators, but for all we know this could be a ruse....
1) Does Carrier IQ use native APIs to get such privileged access or are special APIs mandated by operators so that CIQ can work?
2) If 1 is the latter, can malicious apps access these APIs too?
3) The CIQ exe probably runs at the highest privilege level. Is the app well written? Can a malicious app exploit it?
On Android, none of what's described requires privileged access; it's all standard APIs that market apps can request. The difference of course is that normally you have to opt-in, i.e. at the point where you choose to download an app, you're presented with the permissions and have to approve them.
Collected by CIQ keylogger.
"My point is that the software was never designed to gather and transmit that text."
Didn't Google say something similar when they were going about slurping as much wi-fi data as they could on their streetview rounds?
Oh, at 200 KB per day, he's talking about 6 MB per month which I have paid for and am not getting which doesn't make a hill of beans on an unlimited (read 2 GB in the US) plan but given I'm a miser and only flip for 50 or 200 MB it's a rather onerous chunk.
"6 MB per month which I have paid for"
So did you notice anything unusual on yer phone bill, old chap?
Maybe these chunks are marked "not billable" in the billing system, who knows.
+1 on your first point, but as regards the second I seriously doubt the operator would include CIQ's 6MB in your monthly quota. That would be asking for trouble. More likely the CIQ data is tagged and separated from your account as quickly as possible.
This has been going on for over a week now! Carrier IQs first reaction was to send in the dogs and threaten the little guy who found their software with a lawsuit, which they very, very quickly dropped once the EFF got involved. This, in my eyes, tells us all we need to know about CIQ and their software... They used scare tactics and then quickly withdrew them in the hope that TrevE would consider himself lucky and not pursue things further. Something to hide fellas?
Hopefully the damage is done and no amount of attempted limitation is going to put the genie back in the bottle... well, until another, similar company sneaks in the back door and we get to take another spin on the privacy merry-go-round... again!
Thank goodness we've got inquisitive guys like TrevE looking out for us, and, when companies decide to "shoot first", they've got the EFF to back them up.
(Apologies if the is reposted El Reg, something odd happened and it didn't appear as "submitted" in my "My Posts" page... actually, looking at it my last few comments haven't?)
TrevE just yet.
He wasn't looking out for us he was was publicity seeking. He was very disengenuous about that demo and some of the things he said were misleading at best. For example the https stuff was irrelevant but made to be a big deal.
You mean having your encrypted information broadcast in the clear to a third unknown party will not harm you in the slightest, do you have person walking around with you to the bank who then shouts out your credit card details to all and sundry including your pin?.
The CIQ software is just listening in on the OS' standard event loop—the code that receives all input from the user and parcels it out to the relevant OS functions and any running apps. That latter category happens to include the browser.
I.e. the CIQ code is intercepting user input *before* the browser code has even received it and had a chance to encrypt it. You can write key loggers for *any* OS with a similar event loop. OS X, Gnome and KDE, Windows—you name it.
As the software has been specified and agreed to by the operators themselves, there was no need for the app to request the user's permission as that permission was granted when said users bought the phone and agreed to the operator's own terms and conditions. (Read the small print, folks!)
Apple appear to have been using CIQ primarily as a debugging, performance metrics and instrumenting tool, rather than for the benefit of operators.
I think the wrath hurled at CIQ has been a little over the top: Many hardware engineers and software developers rely heavily on tools like these. They can really come into their own when performing regression testing: if you know a certain sequence can reliably cause a crash, you can write a simple script for the QA team that replays the exact same input sequences. The team runs this script on future OS builds to see if that bug you thought you'd now killed has stayed dead. Over time, you end up with a hell of a lot of such scripts, which your QA team runs in batches against each and every new build.
By all accounts, it does genuinely appear to be disabled in iOS 5.
The fundamental issue here is whether the carriers have been genuinely abusing the software, or whether they're just using it to monitor their network's performance, as is claimed. Whether the users were aware of the application's existence in the first place is utterly irrelevant: they agreed to the operators' T's & C's up-front. The onus is on the end user to read those contract terms and conditions *before* signing on the dotted line.
It may be 2011, but the golden rule of "Caveat Emptor" still applies.
If it turns out that the CIQ software _is_ being misused, a hurricane of rage and fury shall be perfectly justified. But until there is solid evidence of this, it's just the usual uninformed media maelstrom of wild, baseless, speculation and tin-hat paranoia.
Could you clarify how it is harmless when all your keys are logged *before* HTTPS encryption takes place?
Do you understand that those keys are logged into a file that *any* application on the phone can read?
Do you understand that it is *easy* to parse the log file?
Do you understand that for the bad guys this is a *very* big Thanksgiving/Christmas/New Year gift?
Probably, it is time to root my family's phones (Evo 3Gs, Evo 3D and SGS II)
Extremely unlikely that any application could read the log file, assuming there even is one. Yes it is logging events, but I don't think there is confirmation it logs to file? Android apps do not have access to other apps' data files unless permission is explicitly given or the device is rooted.
But yeah it's all a big unknown until the source is provided or somebody completely reverse engineers it.
Did you actually read the article?
They explicitly state that they do not log the key presses or SMS contents to a file. They simply parse them for specific key sequences that tell the software to perform certain actions. A bit like being able to type a key sequence into your phone to get it to display your IMEI number, they can do the same for their software. So they are parsing the key presses, but not logging them. They say this all takes place in RAM.
Even if *any* application could read the log file, surely if the bad guys have installed software on your phone, them reading this file would be the least of your worries. I'm sure the bad guys would rather just log key presses themselves rather than read a log file that is missing most of the data they would want access to.
Now whether you believe their assurances that they are not logging keys and SMS messages to files is up to you, but I think their willingness to open their code to independent auditing and the reverse engineering by security researchers that confirms their assertions should give their claims some credence.
From what I've read about this I get the see a lot of people referring to 'logs' or 'logging' but that's not what is essentially happening as per the video. The CIQ app isn't creating that log that was shown in the video, that was the event 'stream' that the phone was producing and the app was keeping an eye on the 'stream' whilst using it's real-time filtering at the same time, when it's sees an event that it needs for analytical purposes it catches it from the stream and saves what it needs into this 200kb file for transmission. So the all of that event stream in the video is what the phone is producing the app is just dipping in to it.
It's the carriers that need to be taken to task over this not carrier IQ, just because someone makes a gun doesn't mean I have to use it.
If this software is supposedly harmless, as you claim it is, why hasn't "Wanker IQ" provided a simple software removal tool to eliminate it, from all rooted smart phones, so infected from day one, when it first went live?
And the answer is.................................."pull the other one it has bells!"
"The fundamental issue here is whether the carriers have been genuinely abusing the software, or whether they're just using it to monitor their network's performance, as is claimed. Whether the users were aware of the application's existence in the first place is utterly irrelevant: they agreed to the operators' T's & C's up-front. The onus is on the end user to read those contract terms and conditions *before* signing on the dotted line.
It may be 2011, but the golden rule of "Caveat Emptor" still applies."
Are you a shill?
Once they realise that there is a problem they will tryto undertand theproblem. And once they understand the problem they will try to solve it. This usually takes the phorm of buying a bigger and better machine.
It was the making of Windows. I can't see how it can fail for phones.
Is it also embedded in CyanogenMod? Or is it embedded in a layer above the OS? Because otherwise, this spyware is the sort of reason that may push the majority of users to root & flash their phones.
Have checked and not found it in cyanogen mod. Given that there are so many cyanogen Roms around its not guaranteed but it's fairly unlikely.
This is a piece of software installed or mandated by the carrier, not the manufacturer.
If you have an ROM based on android source (like cyanogen) or you get it direct from Google then you do not have this application. Nor will you have it if you buy an unlocked and unbranded phone direct from the manufacturer.
The application is installed by the carrier (or by the manufacturer at their behest) on carrier branded phones.
Furthermore this whole shamozzle seems limited to the US.
I don't think any of the above is any sort of excuse though and your man in the interview here is full of shit.
He is saying that their application looks at everything and then decides what to record. He also says their application can take instructions from SMS.
He then says they hand the reigns of this powerful and easy to misuse software over to the carriers; a group of companies not usually noted for their intelligence, probity or ethical behavior....
Looks like someone is getting a kickback!
Really; the Reg is okay with a company releasing a software that allows the capture of information that is thought to be private?
WITHOUT the consent or knowledge of the user?!?!??
Wow... Just... Wow....
I suspect that most of the carriers have 'consent' buried in their t&c's somewhere. Unlike apple who asked explicitly for consent.
Bear in mind CIQ provide a service, it's the people that abuse that service should feel our ire.
it's ok to sell child porn so long as you don't film it yourself? It's just a service you're offering.
And it never helps.
Stop trolling and drink some beer instead
You are implying that CIQ people did not understand what kind of application they were writing, right?
An application that logs *every* keypress *without* owner's consent (watch the video, it is all there) is totally legal as soon as you can sell it, right?
I understand (but do not agree) when CIA/FBI requests an application that snoops on every keypress.
But I do not understand when a carrier requests such thing and a company like CIQ *agrees* to write the applicatoin.
If I was a technical lead on such a project I would of start asking questions why do we write an application like that and what are legal consequences.
Sign up, sign up for The Register's weekly IT security newsletter - click here
