Some Android anti-virus firms have begun releasing Carrier IQ detection apps, but only after the controversial software became a talking point on Capitol Hill ... and a month after a security researcher first discovered it. BitDefender released Carrier IQ Finder, an app that identifies the presence of the controversial mobile …
Don't be hasty
We still don't have all the facts about Carrier IQ yet. It might be exactly what they claim it to be - purely diagnostic. Diagnostics are an essential component in complex systems - it might help engineers understand the specific events that lead to a failure.
I'm not waving the flag for Carrier IQ because I don't have all the facts yet. But it's quite possible that it is all quite legitimate and, in fact, desirable (if it prevents catastrophic network failures). The time to decide is when we have all the facts - the real problem is that Carrier IQ have been lousy communicators up to this point.
So lets all take the risk...
...that it could be mallicous.
Lets all have slower phones because of some diagnostic program we don't need as we aren't experiencing any problems.
When there is a problem, put on diagnostic software and remove it when problem is solved, informing the user at both stages. Its not rocket science.
It's a rootkit - regardless of whether its use is justified
when I run a rootkit scanner on my machine, it detects ANY program/code that is trying to hide itself. the scanner does not make any judgement about whether the code has a legitimate purpose - that is for the user to decide (and some of the things it finds are legitimate).
Not identifying the rootkit is a failure of the companies who profess to safeguard our systems, and sends a clear indication as to who would win in a 'corporate vs user' interests contest.
If it is not, why is it written this way?
Well, if it is not "malware" why the hell does it use undocumented Android functionality which prevents removal?
Regardless of the software's ultimate intent - It is HIDING itself.
I have a problem with that.
We know it very well. It IS a purely diagnostic tool. Nobody is disputing this. The problems are two:
First, in order to provide exhaustive and useful diagnostic information, it can collect vast amounts of privacy-sensitive data. (I wrote "can collect" as opposed to "collects", because what it actually collects can be configured by the carrier.) This is a HUGE breach of privacy.
Second, it tries to hide while doing so and it cannot be easily turned off. This tends to annoy people. If it had an opt-in policy (as opposed to the current no-opt-out policy), if it clearly explained what exactly it collects, for what purpose, what it sends to the carrier and how that can help the user, nobody would have had any problems with it.
Also, it is a bit unfair that CarrierIQ gets all the blame. After all, they are just a software company making a diagnostic tool. This tool does exactly what their customers - the carriers - want. People should direct their ire towards the carriers who have been shipping it pre-installed, instead. Why aren't they telling their customers what kind of information they are collecting on them and why there is no easy way to opt out?
Ah, you are mistaken. It doesn't use any undocumented Android functionality. The reason why it cannot be removed (without rooting the device) is because it comes pre-installed by the carrier and resides in an area of the device's memory to which the user doesn't have write access on a non-rooted device. it is no more and no less difficult to remove than any of the other pre-installed apps.
i completely agree that in some cases having this software for tech support to use would be a huge help, however, that doesnt get around the fact that i should have the ability to turn it off, now, yes they could argue that until your contract is up you do not own the phone so they can do what they like with it, but thats a big gray area, but they have no right whatso ever to have the software on there if either A i own the device (paid full price for it) or B ive finished my contract, so rather than spending a fortune on having to deal with returns to remove it why dont they just leave an option to turn it off, (they probably dont do this as user ignorance is to their advantage) if its not on your device an tech support cant help you then perhaps they will just have to fix things the good ol way, the way we have been doing things for the last 30 odd years. experienced tech support and service centres
Don't think so ...
It may be malicious, it may not be, that's the whole point of flagging the software as potentially undesirable and not as a rootkit right away.
It is certainly not legitimate since the user is never asked for his accord.
- all mobile apps, even DRM ones, still ask for the user to approve their access
- on Windows, the user is told that logs are being kept or that automatic updates take place and he can choose to enable them or not
And Lookout si wrong: the analogy should be made with Sony. Sony comissioned a third party to do their rootkit. Here, the makers/carriers comission the software from Carrier IQ. It's not Windows update. The "windows update" on Android is the Android Market. And the user still has to opt-in to make updates automatic, not opt-out, while Carrier IQ doesn't offer any "opt"-ing.
"It may be malicious, it may not be..."
And even if its not, some bit of software may hook into its calls and use it for nefarious purposes, without having to contain its own code to log your keypresses.
<quote>Carrier IQ's initial response to the discovery of its software by security researcher Trevor Eckhart in the middle of last month was to issue a cease and desist letter, though in fairness the firm has since tried to explain what it's about and how its technology operates in a way that has defused many (but not all) of the original concerns.</quote>
Why is it in fairness? Its not like it was their intention. Carrier IQ tried the scumbag lawyer approach and then when that blew up in their face they tried to go the PR route.
A very poor statement from el Reg I think.
."...it doesn’t appear that Carrier IQ’s software is malware"
It just records your usernames and passwords (and everything else) without you knowing and without means of stopping it. If this isn't malware then I don't know what is.
It then uses your data allowance/talk time that you have paid for to send the data that they have captured. This is simply theft, which ought to be a matter for the police.
You dont actually get the difference between monitoring and recording do you?
From their own statements and the security demo CiQ monitors your activities, records what it needs to, and ignores the rest.
No-one has proved otherwise. Until they do lets calm the hysteria.
"It then uses your data allowance/talk time that you have paid for to send the data that they have captured"
Reference please. It was my understanding that the Carrier IQ data dump was uploaded, but did not come out of any bundle. The carrier commissioned the data dump according to their configuration settings (1x/day, week, whatever) and this was performed separately from YOUR data. It was also my understanding (from the filings this week) that a data dump would take place even if you had no data contract - many company-issued cellphones do not have data enabled so this is a significant factor.
To do it any other way is asking for a lawsuit from disgruntled punters. It's not rocket science for the carrier to split out CIQ traffic.
Whoah steady on
1) It's still not clear exactly what it keeps for sending. If it records things temporarily because it has to, then so be it. The reporting of it sounds varied, and I don't really know Android well enough to really get to the bottom of it, but it does sound like it just has a global hook on text entry, and then filters out the presses it gets back for the interesting ones. The fact that it stores those presses in RAM while it's processing them shouldn't shock anyone technical, or be cause for alarm.
2) It's installed by the carriers, so they will clearly whitelist the URL that it uploads to. You may notice a bit of a reduction in your data connection while it uploads, but it won't cost you a penny. If we take their guy at his word then it only uploads when the carrier asks it to. This doesn't sound particularly malicious.
All in all, it sounds like a poor design of some diagnostics software (probably so that it was easier to port), not an attempt to harvest data maliciously. Stop jumping the gun already.
It sounds like its a dumb system that blindly records everything such that if there was an event, it could dump everything you were doing when the phone crashed or had a problem. It has no was to know what you were doing except at the time of the crash, you were typing in zxcv1234 into the phone while apllication foo was running.
The scary part... Does this open a potential vector of attack? Not that I'm saying that CarrierIQ would be malware, but that malware couldn't figure out how to access this information?
Actually they've already admitted to recording more than they need to
They record URLs. They consider this ok because they don't record the web pages themselves, but URL tracking is itself a privacy invasion.
Obviously you've failed to understand the correct meaning of the term "malware".
Spying, tracking and monitoring software is only "malware" if it's not put there by a multi-billion-dollar corporation or one of their government puppets. Thus, if it had been you or I who rooted millions of people's phones to put the CarrierIQ software on them, THEN it would have been detected as "malware" within 24 hours of its release and we'd be looking at a few years in the blue light hotel. But because it was put on there by big telcos, it wasn't classed as "malware" until it became necessary for the PR machine to cover arse for its discovery.
I do know the difference.
I just happen to think it's irrelevant in this context.
...of the middleman(1) and openness(2).
1). It's why I only every buy SIM-free phones.
2). It's why I rate proprietary OS's over open ones.
This works for me. I imagine the *nix world is about to fight itself to the downvote button.
"It's why I rate proprietary OS's over open ones."
You were saying?
SIM-free I can agree with, but Carrier IQ was on iphone as well. How is a proprietary OS any better when it was clearly found on both Android and IOS?
If you genuinely believe that security by obscurity works, I invite you to read pretty much anything written by Bruce Schneier on the matter. Bruce Schneier is a genuine security expert with many years of experience who is widely recognised by the community to be a foremost expert in his field. You are not.
Of course not.
You're right. I know nothing about security and I'm such a clueless idiot. Thank you ever so much for setting me straight. I'll go buy an Android phone from Talk Talk right away.
Actually no. You're an idiot.
I made it clear that it works for me. I made no claim as to it's effectiveness as a policy. I also made no claim about my knowledge of security (but why not - read other posts I made on here, and work it out).
If you were to analyse the risk involved in chosing a phone you might come up with something like this:
Risk = something naughty on my phone,
Impact = well serious, innit.
Probability = variable*
* Variable because it's different per platform.
If you're a black hat you'd target something that yields the mostest (number of targets), for the leastest (you might only have time for hacking a single platform). That makes probability on Andoid high, iOS medium, and on Bada, WebOs or Windows Phone low.
Of course we're just people, so we're all susceptible to seeking out only those facts that support our emotional (and, sadly, often irrational) attachment to a particular idea/product/mobile OS. If you disagree with that one, read Irrationality by Stuart Sutherland.
Economics and psychology are huge factors in security. If you want to find out more about that, read Ross Anderson's Security Engineering.
Opt in is always better
Apple made the use an opt in. That makes it better.
Some of the questions raised in the article are relatively easy to answer.
1) Why are some AV companies reluctant to label Carrier IQ as malware and, most importantly, add detection of it in their main scanners and even if they do implement detection, they do it in a separate app? Well, dunno about Kaspersky, by Lookout comes pre-installed by several carriers on their phones. Most of these carriers also pre-install CarrierIQ. Imagine now if the pre-installed malware scanner starts reporting out-of-the-box that the phone contains malware. What will happen? The carriers will drop the AV product, of course - leading to financial losses for its producer. Ergo, the producer isn't going to do detect CarrirIQ as malware with its main product.
2) Why don't they offer removal? CarrierIQ comes pre-installed by the carrier, which means that it resides in the firmware, among the other pre-installed apps. The only way to remove any of those is by rooting the phone. A security company can't afford to do this routinely on the phones it processes - or its own product would be classified as malware by some.
3) Why weren't the AV products detecting CarrierIQ heuristically, using the fact that it requires many dodgy privileges? Unfortunately, Android's privileges are not granular enough to be usable as a base for good heuristics. By this I mean that you can't easily pick a set of privileges and say that if an app requires, then it is suspicious. There has been a rather deep study of this issue (an AV company comparing the privileges used in the known malicious and in the apps on the Android Market) and the conclusion was that it is not possible to determine the maliciousness of an application from the set of privileges it requires.
It's been known about for a lot longer than a month
The article of the XDA forum that one of the commentators on your original story linked to was dated MARCH 2011,
The android development community has known about it for quite a while. Perhaps the reason no one has been particularly bothered is that the 'security researcher' who 'discovered' it recently is spreading FUD.
Now that's not to say that it's something I'd want on my phone, but all these hysterics are out of proportion.
Potential uses of Carrier IQ
An application that has access to all data, but does not actually "use" this access. Looks for me like the dream of enforcement agencies - functionality is already there "just in case". When they say "jump" CarrierIQ just asks "how high?".
Is CarrierIQ functionality remotely trigger-able ? Can new functionality be added remotely to it ?
Would, in a "police state", an application like CarrierIQ be mandated by law in order to ensure access to encrypted user communications is available on request ?
If the above is true, would that slow anti-virus firm reactions ? ;)
Not CarrierIQ. The carrier. It is the carrier who instructs CarrierIQ what data to collect and send. Yes, it is remotely triggerable (configurable, more exactly). Adding new functionality - no, but there is plenty of existing one.
The fascist government doesn't need to mandate the use of CarrierIQ. First of all, they can go directly to the carrier (with a secret court order or just with a big gun, depending on how fascist the government is) and require access to all the phone-related traffic of the victim, CarrierIQ or not. Second, the GSM phones use the A5 encryption algorithm, which isn't that difficult to crack in real-time. I've seen offers from security companies that have devices doing it within 0.3 seconds.
What sense would it make to alert the user that there's CarrierIQ installed on their systems when it can't be removed by the anti-virus software? And how often should they alert the user? Every 5 minutes? Every day? At every reboot? It would be still annoying and worthless information.
Not at all. Whether or not the AV software can remove a threat, it makes complete sense to alert the user to something that is at least suspicious. Reducing alerts is usually taken care of by providing a means to 'whitelist' the software after the first detection. Easily done, and not an excuse for doing nothing. And nor is it an excuse that the suspicious software is pre-installed - they should be judging solely on the nature of the software, regardless of its origin.
It's not malicious but it is a massive vulnerability particularly if it is sending unencrypted forms of every keystroke entered onto the device (as claimed by Trevor Eckhart http://www.theregister.co.uk/2011/11/30/smartphone_spying_app/)
... what you describe is a threat.
Because it is covert, it is self evidently malicious unless you *want* that to happen.
"Carrier IQ.......was more akin to Microsoft Software Update."
Oh dear. There's enough food there to keep the local trolls fat for some time....
It's main use seems to be on the iPhone 4.
Of course no one may ever find that the to the nature of IOS.
This is why IOS malware used by criminals and government services whilst less likely to go on will be harder to detect.
Apple used the words 'stopped supporting Carrier IQ' sp it is no doubt still in there in use by whoever.
I guess you've missed the message that the iPhone was found to record your whereabouts and keep a week worth of information of this kind on the phone (accessible to anyone with physical access and a bit of knowledge) and send it to Apple too.
Why is it (as well as when did it) become necessary to have antivirus software for *any* (smart)phone?
Have the smartphone platform designers learned nothing from the M$ approach to security?
Are we really going to have to accept that the AV vendor's products, adding bloat, risk vectors of their own, sucking performance and battery longevity are the norm?
Well, it's a matter of choice, really.
You can have a completely closed system, be allowed to run only what the system producer thinks is good for you, be relatively save from malware and be left without recourse if something bad happens (like, the producer screws up big time).
Or you can have an open system, vulnerable to malware (because it is just as opened to the bad guys too), which leaves the responsibility for your protection mostly on your own shoulders, and have freedom to run on it whatever you want (including malware) and get quick help from more knowledgeable enthusiasts whenever a need arises.
I realize that each of these two alternatives appeals to different kinds of people. Me, I'd take malevolent freedom over benevolent dictatorship any time - but not everybody might feel the same.
I've said the same elsewhere. Apparently some people don't like the idea of freedom if it requires them to consider the consequences of their actions.
Follow the money
Some of these anti-malware apps are undoubtably looking to get deals with the operators. I suspect the near future will be full of operators bundling cra... er, "apps we might find useful" on their handsets with some kind of financial arrangement in place. No-one wants to destroy their relationships with the operators, and potential for future wonga, if the operators are the ones installing CarrierIQ and getting all sniffy if you brand it malware...
If the Carrier IQ software is compromised and the vendor fails to address the vulnerability, will the vendor be liable for any data loss or fraud? After all, this is software loaded by the vendor that is not necessary for the operation of the phone.
I've never understood this mindset of antivirus companies
This mindset has always existed with Antivirus companies, even on the desktop
For example, you can buy legal key-logging software to install on your PC, your spouse's or your child's PC etc. Some of them are rather intelligent Trojans that can even email keystrokes to you and then delete themselves automatically. However, most antivirus software will not flag this as a warning!!!
Zonealarm for cell phones?
It seems about time that we need a firewall app for our phones now.
After using a program I do not want to be asked if I want to rate the app!
After using a program I do not want to bebothered if I want to check if there is an update!
When doing nothing I do not want an app to think for itself to phone home!
I do not want an app that demands to use wifi 24/7 - sorry to use this app you must have wifi enabled. WTF!!!! Kinda like games that demand to be connected just to post high score. I DONT CARE!
-------------------------------Please makers of Zone Alarm we need you to make an app for our cell phones now!
It exists and free
Droid wall does what you need although it needs root access since it uses function of underlying Linux core. Root enabling can be the ultimate security risk if you aren't careful by the way.
Already exists, requires root
Use DroidWall or similar if you want a gui.
In the licence for the latest Samsung Kies update...
(that's the PC software to manage a Samsung Android device)
I seem to have consented to Samsung monitoring all my data and activities on the device except specifically those that it's illegal to monitor, for whatever reason they choose, but, in particular, in case I may be using the device outside its permitted licence conditions.
This is a few days ago, maybe just after the Carrier IQ story (re?)-broke.
Oh, well. I guess I'd just better not take it with me on any protest marches, or read political web sites.
I suppose that by "illegal" they mean "like actually tapping phone calls except when the government secretly asks them to".
Worthless information? Just being told one would be a start, and then you could decide if you wanted to ditch the carrier (or moan to get it removed).
By the same argument, I expect you don't see the point of doctors telling patients they have an incurable desease either, as it's 'worthless information'.
App running, but hiding itself...
If your anti-virus isn't giving a informational warning about this (at the very least), then what use is it?
Define "hiding". Do you know how many processes are running on your average PC, which aren't immediately obvious? Should AV programs "warn" about each one of them too?
Not defending CarrierIQ (or the carriers pre-installing it) here - I personally think that it is a huge privacy violation - but AV programs have to be more particular than reporting anything you don't immediately see.
- Facebook offshores HUGE WAD OF CASH to Caymans - via Ireland
- Microsoft teams up with Feds, Europol in ZeroAccess botnet zombie hunt
- Justin Bieber BEGGED for a $200k RIM JOB – and got REJECTED
- Review Bigger on the inside: WD’s Tardis-like Black² Dual Drive laptop disk
- Inside Steve Ballmer’s fondleslab rear-guard action