Security Researcher Shows That -- Despite Carrier IQ's Claims To The Contrary -- CarrierIQ Records Keystrokes

from the now-that's-kind-of-scary dept

Remember Carrier IQ? This was the company whose software was installed on a ton of phones out there (mainly from Verizon and Sprint), supposedly to record things like if there are dropped calls or problems or whatnot, but which actually appeared to be a rootkit that could track all sorts of info? Then, remember how, rather than respond professionally to this, Carrier IQ threatened researcher Trevor Eckhart with a copyright lawsuit over this? CarrierIQ eventually backed down... and again insisted that the claims of keystroke logging were simply not true.

Yeah. So. Don't piss off a security researcher. Eckhart is back with a video showing how CarrierIQ's software does track keystrokes and sends them to a central server. He demonstrates it recording and sending data, even though Eckhart is logging into something using HTTPS. Of course, when the software is local and tracking keystrokes, HTTPS is meaningless.
Dave Kravets at Wired highlights what's really scary about all of this:
By the way, it cannot be turned off without rooting the phone and replacing the operating system. And even if you stop paying for wireless service from your carrier and decide to just use Wi-Fi, your device still reports to Carrier IQ.

It’s not even clear what privacy policy covers this. Is it Carrier IQ’s, your carrier’s or your phone manufacturer’s? And, perhaps, most important, is sending your communications to Carrier IQ a violation of the federal government’s ban on wiretapping?

And even more obvious, Eckhart wonders why aren’t mobile-phone customers informed of this rootkit and given a way to opt out?
I would imagine that lawyers are furiously drawing up a pretty massive class action lawsuit as we speak (if it hasn't already been filed).
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: android, keylogger, phones, rootkit
Companies: carrieriq, sprint, verizon wireless


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Anonymous Coward, 1 Dec 2011 @ 12:16pm

    As long as it took you to write this story I figured you were going to let it go. Then when you did write it you left things out. Like statements from the companies from sprint, Samsung, rim, apple, carrier iq. I was really looking for an in depth review of the legality of it all. http://arstechnica.com/tech-policy/news/2011/12/sen-franken-demands-answers-from-carrier-iq-suggests -phone-snooping-violates-federal-law.ars?utm_source=rss&utm_medium=rss&utm_campaign=rss

    p robably a better source on this topic.

    link to this | view in thread ]

  2. icon
    Mike C. (profile), 1 Dec 2011 @ 12:18pm

    Carrier IQ press release translation...

    I also like the "translation" of the recent Carrier IQ's press release found here

    link to this | view in thread ]

  3. icon
    Jared (profile), 1 Dec 2011 @ 12:42pm

    Does this not fall under some wiretapping laws? They are spying on you without your knowledge. I doubt that the cell contract covers this depth of record keeping.

    link to this | view in thread ]

  4. identicon
    rubberpants, 1 Dec 2011 @ 12:44pm

    Re: Carrier IQ press release translation...

    I like that. Translations of that type are needed more often.

    link to this | view in thread ]

  5. identicon
    Anonymous Coward, 1 Dec 2011 @ 12:47pm

    Re:

    http://arstechnica.com/tech-policy/news/2011/12/sen-franken-demands-answers-from-carrier-iq-suggests -phone-snooping-violates-federal-law.ars?utm_source=rss&utm_medium=rss&utm_campaign=rss

    a ccording to what i read is it could but not necessarily there are exceptions in wiretapping laws for the telecoms to troubleshoot services. However since this is a third party working for the telecoms it probably does. Furthermore this software continues to work over a wireless LAN even when the phones cellular is disconnected which means that you are no longer on their networks.

    According to Gizmodo Al Frankin has already sent a letter to Carrier IQ. So we shall see. This reminds me so much of Sony and their rootkit a few years back.

    link to this | view in thread ]

  6. identicon
    Anonymous Coward, 1 Dec 2011 @ 12:50pm

    Re:

    I also would have liked to have seen you print their reply letter to Mr. Eckhart. Its a real im so sorry letter. http://www.carrieriq.com/company/PR.EckhartStatement.pdf
    http://www.carrieriq.com/company/PR.Eckhar tStatement.pdf

    link to this | view in thread ]

  7. icon
    Chronno S. Trigger (profile), 1 Dec 2011 @ 12:54pm

    For those with Android phones who are worried, this may help. I found out that my phone (N1 running Cyanogenmod) does not have this software. I figured it wouldn't, but it's good to have confirmation.

    link to this | view in thread ]

  8. identicon
    Anonymous Coward, 1 Dec 2011 @ 12:57pm

    Re:

    Cyanogen mod and other roms have been removing this forever since it slows the phone down. Most of them list that it is removed. However not all phones have a bunch of good roms available.

    link to this | view in thread ]

  9. icon
    Kevin H (profile), 1 Dec 2011 @ 1:00pm

    Perhaps I can use this as the cudgel I need to get out of my current contract?

    link to this | view in thread ]

  10. icon
    velox (profile), 1 Dec 2011 @ 1:17pm

    Disabling Carrier IQ's software

    There are several apps on the Android Market which can be used to disable anything that comes pre-installed by your carrier, including this spy software from Carrier IQ. You do need to root your phone in order to use this kind of tool however.

    link to this | view in thread ]

  11. identicon
    anonymous, 1 Dec 2011 @ 1:22pm

    interesting reads:

    h**p://arstechnica.com/business/news/2011/12/wikileaks-docs-reveal-that-governments-use-ma lware-for-surveillance.ars

    h**p://www.mirror.co.uk/news/top-stories/2011/12/01/wikileaks-julian-a ssange-tells-iphone-blackberry-and-gmail-users-you-re-all-screwed-115875-23603003/

    let's see what responses there are

    link to this | view in thread ]

  12. identicon
    Anonymous Coward, 1 Dec 2011 @ 1:24pm

    In case anyone didn't want to watch the video but would like a synopsis, it demonstrates Carrier IQ's software:

    -Being difficult to find and impossible to remove
    -Recording everything from the power button to the volume control
    -Recording every number entered into the dialer (even if you don't actually call someone)
    -Recording the contents of every incoming SMS message before the message is displayed
    -Recording the URL of web sites viewed over a WiFi connection (even HTTPS URLs, which are supposed to be encrypted)
    -Still running on a phone that no longer has paid wireless service

    link to this | view in thread ]

  13. icon
    Paul C. Bryan (profile), 1 Dec 2011 @ 1:27pm

    No evidence of transmission

    There is no evidence in Eckhart's video that this information is being transmitted to Carrier IQ, period. What he was displaying were debug log output from the phone.

    Writing these captured events to the debug log is not a good idea, and is potentially a vector of attack, but is not evidence that Carrier IQ is storing and/or transmitting this data.

    link to this | view in thread ]

  14. identicon
    Anonymous Coward, 1 Dec 2011 @ 1:28pm

    Re:

    Won't hurt to try if there's nothing covering it in whatever agreement or contract you signed.

    link to this | view in thread ]

  15. icon
    bjupton (profile), 1 Dec 2011 @ 1:53pm

    Re:

    So then we'll just get a new FISA with this shit grandfathered in.

    Hooray for the republic!

    link to this | view in thread ]

  16. icon
    Blaine (profile), 1 Dec 2011 @ 2:35pm

    Re: No evidence of transmission

    It does show that the sCarrier IQ process is subscribed to each keystroke event and receives the data. (Keystrokes, URLs and Text messages Collected)

    Its been shown that sCarrier IQ does connect to it's home servers and send/receive data.

    I guess it's up to you if you trust them to do nothing with data they've collected.

    link to this | view in thread ]

  17. identicon
    Anonymous Coward, 1 Dec 2011 @ 2:59pm

    Re: Disabling Carrier IQ's software

    Depending on your phone this is not neccissarily correct because this application is a rootkit. Some phones will not work with stock roms after removal. Even with root access. CIQ is different on each phone. that is why these removal programs are flawed. The best and only way to get rid of it is either switch to verizon -htc. Or root and rom your phone with a custom built rom ie cyanogen or the many others.

    link to this | view in thread ]

  18. identicon
    Anonymous Coward, 1 Dec 2011 @ 3:01pm

    Re: Re: No evidence of transmission

    This is correct the only truth known is that it collects all data. And sends some logs to CIQ which may or may not contain all of the data.

    link to this | view in thread ]

  19. identicon
    Anonymous Coward, 1 Dec 2011 @ 3:58pm

    Re: Re:

    Well, your first link is to an article that was posted within an hour of this article, so Techdirt would have needed to be clairvoyant to include the content.

    Techdirt already posted the reply letter in an earlier article about Carrier IQ, which is linked to in the body of this article.

    Your criticisms are uninformed and unwarranted.

    link to this | view in thread ]

  20. icon
    velox (profile), 1 Dec 2011 @ 4:03pm

    Re: Re: Disabling Carrier IQ's software

    I'm certainly not an expert on all android phones, but I am running an EVO 4G which is rooted and I can tell you what worked on there. I was able to disable both HTC IQAgent and IQRD using Bloat Freezer. I haven't tried, but I suspect if Bloat Freezer can do this, then Titanium Backup Pro can also do it.

    I did not load cyanogen or any other mod, so I don't think your statement that you need to do more than root your phone is generally correct.

    Note that Mr. Eckhart has called IQRD a rootkit, but it is kind of a lame rootkit in that it doesn't hide itself when all applications are listed.

    link to this | view in thread ]

  21. identicon
    John Doe, 1 Dec 2011 @ 4:25pm

    Supposedly Verizon phones don't have this

    If there is a class action suit, I would like to be in on it even though Verizon apparently doesn't use Carrier IQ. These guys and anyone involved in putting this on phones should spend a long time in jail over this. This is bullshit!

    link to this | view in thread ]

  22. identicon
    Rekrul, 1 Dec 2011 @ 4:45pm

    I would imagine that lawyers are furiously drawing up a pretty massive class action lawsuit as we speak (if it hasn't already been filed).

    What makes you think that the companies will allow that? I'm sure that by now, all the mobile carriers have drawn up new terms of service expressly forbidding any legal action against them. All thanks to SCOTUS.

    link to this | view in thread ]

  23. identicon
    Anonymous Coward, 1 Dec 2011 @ 4:51pm

    Re:

    This is off-topic in the extreme, but is there some way that we can fit a word starting with "R" into that acronym so that it will be "SCROTUS?"

    I feel like this is in the best interest of our great nation.

    link to this | view in thread ]

  24. identicon
    Anonymous Coward, 1 Dec 2011 @ 5:04pm

    Re: Re: Re: Disabling Carrier IQ's software

    depends on the phone. http://androidforums.com/galaxy-prevail-all-things-root/455231-do-not-use-treves-ciq-removal-tool.ht ml I tried to explain it to you but its not the same on htc as it is on samsung nor is it the same from froyo to gingerbread. telling people all they have to do is root to freeze it is misleading.

    link to this | view in thread ]

  25. identicon
    Anonymous Coward, 1 Dec 2011 @ 5:17pm

    Re: Re: Re: Disabling Carrier IQ's software

    http://forum.xda-developers.com/showpost.php?p=11763089

    the important parts "
    Carrier IQ's native libraries are plainly visible - libiq_client.so and libiq_service.so in /system/lib. During every boot, this service is launched - you can see it in Settings > Applications > Running Services as "IQAgent Service". These native libraries are called by non-native (Android application) libraries located in ext.jar (the client) and framework.jar (the service). Removal of these (rather obviously-named) libraries alone, be it the .so files or the libraries in framework or ext, will, obviously, break boot. So I had to dig deeper. To make a long story short, reference to the IQ Service and IQ Client were littered across the deepest portions of the framework, and some of the most basic functions of the Android system as we know it."

    link to this | view in thread ]

  26. identicon
    Anonymous Coward, 1 Dec 2011 @ 5:18pm

    Carrier IQ Software May Be in iOS, Too...

    link to this | view in thread ]

  27. identicon
    Anonymous Coward, 1 Dec 2011 @ 5:24pm

    Re: Re: Re: Disabling Carrier IQ's software

    straight from Trev's website.

    The only way to remove Carrier IQ is with advanced skills. If you choose to void your warranty and unlock your bootloader you can (mostly) remove Carrier IQ. Logging Test App can identify files used in logging and you can manually patch or use Pro version to automatically remove.

    Im not entirely sure that freezing it would end it.

    link to this | view in thread ]

  28. identicon
    Anonymous Coward, 1 Dec 2011 @ 5:35pm

    Re: Re: Re: Re: Disabling Carrier IQ's software

    I wish i could edit these and make one long comment. This one in particular needed quotation marks around the middle paragraph.

    link to this | view in thread ]

  29. icon
    That Anonymous Coward (profile), 1 Dec 2011 @ 5:54pm

    Re: No evidence of transmission

    There is no evidence that it is not transmitted either.

    CarrierIQ decided to launch an ill thought out lawsuit to stop people from even looking at their product, to use a creepy idea if you have nothing to hide why complain so loudly. If their intentions were all sunshine and ponies for everyone, they could have made a press release and invited the researcher to see for himself how it all worked so he could ally any fears consumers could have had. Instead they made a lame attempt to shut him up, backpedaled once they law was explained to them, and now we can see large amounts of data being recorded.

    I found a statement from Verizon about not using them to be telling. They do not use CarrierIQ or CarrierIQ data. Why would they make a statement worded as such? We have no connection to CarrierIQ would have covered the topic, but to point out we don't use the software or their data seems to suggest you could have access to either. Of course they went quiet when asked if they had a program similar to CarrierIQ on their phones.

    If they are not using the "extra" data they are collecting then they just write crappy software, and this would explain why removing CarrierIQ makes phones faster. But that needs to be investigated, and I am sure there will have been accidents with some data storage systems that happened out of the blue before they could be examined.

    link to this | view in thread ]

  30. icon
    velox (profile), 1 Dec 2011 @ 5:55pm

    Re: Re: Re: Re: Disabling Carrier IQ's software

    Alright, to respond to your point, I'll be more precise:
    -->> If you are running a HTC phone, "root to freeze" does disable CIQ, and I have confirmed that it does work with both froyo and gingerbread phones.

    The thread you are linking to isn't discussing 'root to freeze'. It is talking about a removal tool that Trevor Eckhart has put forward as a solution to the problem. The thread claims that Samsung owners may brick their phone if the CIQ software is removed. "Freezing" bloatware isn't the same thing as removing the software. Actual removal of a factory installed program is more likely to "brick" a phone since the program is not present to respond to scripting within the boot-up process, whereas freezing merely shuts a pre-installed program down at the end of the boot process.

    Perhaps we will hear from someone else who has a rooted phone from another manufacturer?

    link to this | view in thread ]

  31. identicon
    Anonymous Coward, 1 Dec 2011 @ 7:17pm

    Re: Re: Re: Re: Re: Disabling Carrier IQ's software

    I am currently running a rooted Samsung intercept which is why I was interested in the first place. It is running Carrier IQ. I will specifically try your solution tomorrow.

    I should qualify myself I am an embedded communications developer for a test equipment manufacturer. With that being said I have never developed on android. But I have developed for Open-embedded Angstrom and TimeSyS linux. What is described in all of the articles is not just some binaries and a couple of processes. Carrier IQ has its hooks in the kernal via kernel patches. this is how it logs keys on a hardware level these loggers "may" not be shut down by disabling the process.
    ----------------Warning Tinfoil Had Has been Donned---------
    Furthermore since practically all bootloaders are locked you have no idea what is going on there. If it were me I would have something in the bootloader that could check to see if the process is indeed running and if it is not then to re-install all related items and rename the process.

    Like I said I am not an android developer but If I was going to devise something like this for embedded linux I think this would be the way to go. ie. you could have your process write date and time to a location in memory if the bootloader then reads that place in memory and compares it to whats in boot logs. Like I said we do not know what carrier IQ does for sure. We have only scratched the surface. Does carrier Iq do what I said? No probably not but the potential is there. Which could be very scary because even a rom would not necessarily get rid of it. My last android phone was a samsung moment you installed recovery over the regular rom and then you booted into its secondary bootloader to load a rom. So even though samsungs low level bootloader remained untouched it would jump to another bootloader at least that is how I understood it to work. This method would be similar to http://www.absolute.com/en/.
    ----------------------Tin Foil Hat Removed------------------
    If i am wrong in any way I apologize I just don't think this is something that should be trivialized. This is why i dont just want it frozen I want to nuke it from orbit its the only way to be sure.

    link to this | view in thread ]

  32. identicon
    Anonymous Coward, 1 Dec 2011 @ 8:01pm

    Re: Re: Re: Re: Re: Disabling Carrier IQ's software

    Bloat/CIQ Freezer by trey Holland is on the market. Claims to freeze CIQ but gives no option to freeze the IQ agent on my phone. Unless its under a different name I think this is a not yet.

    link to this | view in thread ]

  33. icon
    That Anonymous Coward (profile), 2 Dec 2011 @ 12:01am

    Re: Re: Disabling Carrier IQ's software

    If your running on a verizon phone look for kpi logger, read its permissions... then be worried.

    I have a feeling this might be much more common than people would like to think.

    link to this | view in thread ]

  34. icon
    DOlz (profile), 2 Dec 2011 @ 1:18am

    Re:

    Wiretappings laws, how quaint.

    link to this | view in thread ]

  35. icon
    Paul C. Bryan (profile), 2 Dec 2011 @ 9:26am

    Re: Re: No evidence of transmission

    There is no evidence that it is not transmitted either.

    In a free and democratic society, when someone accuses another of wrongdoing it's customary to require the accuser to prove their claims, not require the accused to disprove them.

    CarrierIQ decided to launch an ill thought out lawsuit to stop people from even looking at their product, to use a creepy idea if you have nothing to hide why complain so loudly. If their intentions were all sunshine and ponies for everyone, they could have made a press release and invited the researcher to see for himself how it all worked so he could ally any fears consumers could have had. Instead they made a lame attempt to shut him up, backpedaled once they law was explained to them, and now we can see large amounts of data being recorded.

    Sigh, where to begin with this?

    1. No lawsuit was filed. A demand letter was sent by Carrier IQ. A reply declining the demand was sent by EFF. Another letter from Carrier IQ was sent, apologizing and retracting their demands.

    2. Complaining loudly—no matter how rude, obnoxious or misguided—is not evidence of wrongdoing.

    3. In the video, all we see is the debug output of a program running on a phone. Until there is evidence that this software is storing and/or transmitting this data, it seems reasonable to ask tough questions about the design of this software, though not not to conclude that massive breaches of personal privacy are taking place.

    I found a statement from Verizon about not using them to be telling. They do not use CarrierIQ or CarrierIQ data. Why would they make a statement worded as such? We have no connection to CarrierIQ would have covered the topic, but to point out we don't use the software or their data seems to suggest you could have access to either. Of course they went quiet when asked if they had a program similar to CarrierIQ on their phones.

    You ask the question, implying we should conclude that either Verizon knows Carrier IQ is malware, or they ship malware of their own. The simpler explanation seems to be that they just don't want to have anything to do with this controversy.

    If they are not using the "extra" data they are collecting then they just write crappy software, and this would explain why removing CarrierIQ makes phones faster. But that needs to be investigated, and I am sure there will have been accidents with some data storage systems that happened out of the blue before they could be examined.

    Considering that there is clear evidence that Carrier IQ is outputting such event details to the debug log, I think we can safely conclude that this software is "crappy", possibly because of performance as you point out, but mostly because such information could lead to breaches of security.

    link to this | view in thread ]

  36. icon
    Bonnie (profile), 2 Dec 2011 @ 10:00am

    Re: Re:

    This Carrier IQ business was enough to get me motivated to root my phone and install the Cyanogen. Loving it so far.

    link to this | view in thread ]

  37. icon
    Tim K (profile), 2 Dec 2011 @ 1:02pm

    Class Action Filed

    link to this | view in thread ]

  38. icon
    MiniMage (profile), 2 Dec 2011 @ 5:14pm

    How could any company use the software, if the data isn't transmitted?

    Of COURSE, the data is transmitted! How on earth can the three companies who admitted to using the software to improve their services actually use it, if the software doesn't report back to Carrier IQ? And the person who blew this wide open stated that the software continues to report back to CIQ, even if you cancel your wireless service. If you are going to give CIQ the benefit of the doubt, and claim they can't be guilty of anything, until they are found guilty, then let's give this guy the same benefit of the doubt, and not call him a liar, until a lie is proven. CIQ has already been caught lying about recording keystrokes, so why not give this guy more credence than them? Will he lose a whole company, if he's lying? Will CIQ? Hmmm.

    link to this | view in thread ]

  39. icon
    The eejit (profile), 4 Dec 2011 @ 7:44am

    Re: Re: No evidence of transmission

    Well, at least the Carrier IQ thing explains why my gig of data is always insufficient.

    link to this | view in thread ]

  40. icon
    Alex (profile), 7 Dec 2011 @ 6:02am

    Hard to say that I'm surprised. It's a well known fact that mobile providers can and are tracking mobile phone users. That's really easy to do because cell phones send signals to base stations to reveal their location to the network.

    So that's not surprising that manufacturers of cell phones decided to start their own tracking.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.