Security Researcher Shows That -- Despite Carrier IQ's Claims To The Contrary -- CarrierIQ Records Keystrokes
from the now-that's-kind-of-scary dept
Remember Carrier IQ? This was the company whose software was installed on a ton of phones out there (mainly from Verizon and Sprint), supposedly to record things like if there are dropped calls or problems or whatnot, but which actually appeared to be a rootkit that could track all sorts of info? Then, remember how, rather than respond professionally to this, Carrier IQ threatened researcher Trevor Eckhart with a copyright lawsuit over this? CarrierIQ eventually backed down... and again insisted that the claims of keystroke logging were simply not true.Yeah. So. Don't piss off a security researcher. Eckhart is back with a video showing how CarrierIQ's software does track keystrokes and sends them to a central server. He demonstrates it recording and sending data, even though Eckhart is logging into something using HTTPS. Of course, when the software is local and tracking keystrokes, HTTPS is meaningless.
By the way, it cannot be turned off without rooting the phone and replacing the operating system. And even if you stop paying for wireless service from your carrier and decide to just use Wi-Fi, your device still reports to Carrier IQ.I would imagine that lawyers are furiously drawing up a pretty massive class action lawsuit as we speak (if it hasn't already been filed).
It�s not even clear what privacy policy covers this. Is it Carrier IQ�s, your carrier�s or your phone manufacturer�s? And, perhaps, most important, is sending your communications to Carrier IQ a violation of the federal government�s ban on wiretapping?
And even more obvious, Eckhart wonders why aren�t mobile-phone customers informed of this rootkit and given a way to opt out?
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: android, keylogger, phones, rootkit
Companies: carrieriq, sprint, verizon wireless
Reader Comments
Subscribe: RSS
View by: Time | Thread
p robably a better source on this topic.
[ link to this | view in chronology ]
Re:
http://www.carrieriq.com/company/PR.Eckhar tStatement.pdf
[ link to this | view in chronology ]
Re: Re:
Techdirt already posted the reply letter in an earlier article about Carrier IQ, which is linked to in the body of this article.
Your criticisms are uninformed and unwarranted.
[ link to this | view in chronology ]
Carrier IQ press release translation...
[ link to this | view in chronology ]
Re: Carrier IQ press release translation...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
a ccording to what i read is it could but not necessarily there are exceptions in wiretapping laws for the telecoms to troubleshoot services. However since this is a third party working for the telecoms it probably does. Furthermore this software continues to work over a wireless LAN even when the phones cellular is disconnected which means that you are no longer on their networks.
According to Gizmodo Al Frankin has already sent a letter to Carrier IQ. So we shall see. This reminds me so much of Sony and their rootkit a few years back.
[ link to this | view in chronology ]
Re:
Hooray for the republic!
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Disabling Carrier IQ's software
[ link to this | view in chronology ]
Re: Disabling Carrier IQ's software
[ link to this | view in chronology ]
Re: Re: Disabling Carrier IQ's software
I did not load cyanogen or any other mod, so I don't think your statement that you need to do more than root your phone is generally correct.
Note that Mr. Eckhart has called IQRD a rootkit, but it is kind of a lame rootkit in that it doesn't hide itself when all applications are listed.
[ link to this | view in chronology ]
Re: Re: Re: Disabling Carrier IQ's software
[ link to this | view in chronology ]
Re: Re: Re: Re: Disabling Carrier IQ's software
-->> If you are running a HTC phone, "root to freeze" does disable CIQ, and I have confirmed that it does work with both froyo and gingerbread phones.
The thread you are linking to isn't discussing 'root to freeze'. It is talking about a removal tool that Trevor Eckhart has put forward as a solution to the problem. The thread claims that Samsung owners may brick their phone if the CIQ software is removed. "Freezing" bloatware isn't the same thing as removing the software. Actual removal of a factory installed program is more likely to "brick" a phone since the program is not present to respond to scripting within the boot-up process, whereas freezing merely shuts a pre-installed program down at the end of the boot process.
Perhaps we will hear from someone else who has a rooted phone from another manufacturer?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Disabling Carrier IQ's software
I should qualify myself I am an embedded communications developer for a test equipment manufacturer. With that being said I have never developed on android. But I have developed for Open-embedded Angstrom and TimeSyS linux. What is described in all of the articles is not just some binaries and a couple of processes. Carrier IQ has its hooks in the kernal via kernel patches. this is how it logs keys on a hardware level these loggers "may" not be shut down by disabling the process.
----------------Warning Tinfoil Had Has been Donned---------
Furthermore since practically all bootloaders are locked you have no idea what is going on there. If it were me I would have something in the bootloader that could check to see if the process is indeed running and if it is not then to re-install all related items and rename the process.
Like I said I am not an android developer but If I was going to devise something like this for embedded linux I think this would be the way to go. ie. you could have your process write date and time to a location in memory if the bootloader then reads that place in memory and compares it to whats in boot logs. Like I said we do not know what carrier IQ does for sure. We have only scratched the surface. Does carrier Iq do what I said? No probably not but the potential is there. Which could be very scary because even a rom would not necessarily get rid of it. My last android phone was a samsung moment you installed recovery over the regular rom and then you booted into its secondary bootloader to load a rom. So even though samsungs low level bootloader remained untouched it would jump to another bootloader at least that is how I understood it to work. This method would be similar to http://www.absolute.com/en/.
----------------------Tin Foil Hat Removed------------------
If i am wrong in any way I apologize I just don't think this is something that should be trivialized. This is why i dont just want it frozen I want to nuke it from orbit its the only way to be sure.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Disabling Carrier IQ's software
[ link to this | view in chronology ]
Re: Re: Re: Disabling Carrier IQ's software
the important parts "
Carrier IQ's native libraries are plainly visible - libiq_client.so and libiq_service.so in /system/lib. During every boot, this service is launched - you can see it in Settings > Applications > Running Services as "IQAgent Service". These native libraries are called by non-native (Android application) libraries located in ext.jar (the client) and framework.jar (the service). Removal of these (rather obviously-named) libraries alone, be it the .so files or the libraries in framework or ext, will, obviously, break boot. So I had to dig deeper. To make a long story short, reference to the IQ Service and IQ Client were littered across the deepest portions of the framework, and some of the most basic functions of the Android system as we know it."
[ link to this | view in chronology ]
Re: Re: Re: Disabling Carrier IQ's software
The only way to remove Carrier IQ is with advanced skills. If you choose to void your warranty and unlock your bootloader you can (mostly) remove Carrier IQ. Logging Test App can identify files used in logging and you can manually patch or use Pro version to automatically remove.
Im not entirely sure that freezing it would end it.
[ link to this | view in chronology ]
Re: Re: Re: Re: Disabling Carrier IQ's software
[ link to this | view in chronology ]
Re: Re: Disabling Carrier IQ's software
I have a feeling this might be much more common than people would like to think.
[ link to this | view in chronology ]
h**p://arstechnica.com/business/news/2011/12/wikileaks-docs-reveal-that-governments-use-ma lware-for-surveillance.ars
h**p://www.mirror.co.uk/news/top-stories/2011/12/01/wikileaks-julian-a ssange-tells-iphone-blackberry-and-gmail-users-you-re-all-screwed-115875-23603003/
let's see what responses there are
[ link to this | view in chronology ]
-Being difficult to find and impossible to remove
-Recording everything from the power button to the volume control
-Recording every number entered into the dialer (even if you don't actually call someone)
-Recording the contents of every incoming SMS message before the message is displayed
-Recording the URL of web sites viewed over a WiFi connection (even HTTPS URLs, which are supposed to be encrypted)
-Still running on a phone that no longer has paid wireless service
[ link to this | view in chronology ]
No evidence of transmission
Writing these captured events to the debug log is not a good idea, and is potentially a vector of attack, but is not evidence that Carrier IQ is storing and/or transmitting this data.
[ link to this | view in chronology ]
Re: No evidence of transmission
Its been shown that sCarrier IQ does connect to it's home servers and send/receive data.
I guess it's up to you if you trust them to do nothing with data they've collected.
[ link to this | view in chronology ]
Re: Re: No evidence of transmission
[ link to this | view in chronology ]
Re: No evidence of transmission
CarrierIQ decided to launch an ill thought out lawsuit to stop people from even looking at their product, to use a creepy idea if you have nothing to hide why complain so loudly. If their intentions were all sunshine and ponies for everyone, they could have made a press release and invited the researcher to see for himself how it all worked so he could ally any fears consumers could have had. Instead they made a lame attempt to shut him up, backpedaled once they law was explained to them, and now we can see large amounts of data being recorded.
I found a statement from Verizon about not using them to be telling. They do not use CarrierIQ or CarrierIQ data. Why would they make a statement worded as such? We have no connection to CarrierIQ would have covered the topic, but to point out we don't use the software or their data seems to suggest you could have access to either. Of course they went quiet when asked if they had a program similar to CarrierIQ on their phones.
If they are not using the "extra" data they are collecting then they just write crappy software, and this would explain why removing CarrierIQ makes phones faster. But that needs to be investigated, and I am sure there will have been accidents with some data storage systems that happened out of the blue before they could be examined.
[ link to this | view in chronology ]
Re: Re: No evidence of transmission
In a free and democratic society, when someone accuses another of wrongdoing it's customary to require the accuser to prove their claims, not require the accused to disprove them.
CarrierIQ decided to launch an ill thought out lawsuit to stop people from even looking at their product, to use a creepy idea if you have nothing to hide why complain so loudly. If their intentions were all sunshine and ponies for everyone, they could have made a press release and invited the researcher to see for himself how it all worked so he could ally any fears consumers could have had. Instead they made a lame attempt to shut him up, backpedaled once they law was explained to them, and now we can see large amounts of data being recorded.
Sigh, where to begin with this?
1. No lawsuit was filed. A demand letter was sent by Carrier IQ. A reply declining the demand was sent by EFF. Another letter from Carrier IQ was sent, apologizing and retracting their demands.
2. Complaining loudly�no matter how rude, obnoxious or misguided�is not evidence of wrongdoing.
3. In the video, all we see is the debug output of a program running on a phone. Until there is evidence that this software is storing and/or transmitting this data, it seems reasonable to ask tough questions about the design of this software, though not not to conclude that massive breaches of personal privacy are taking place.
I found a statement from Verizon about not using them to be telling. They do not use CarrierIQ or CarrierIQ data. Why would they make a statement worded as such? We have no connection to CarrierIQ would have covered the topic, but to point out we don't use the software or their data seems to suggest you could have access to either. Of course they went quiet when asked if they had a program similar to CarrierIQ on their phones.
You ask the question, implying we should conclude that either Verizon knows Carrier IQ is malware, or they ship malware of their own. The simpler explanation seems to be that they just don't want to have anything to do with this controversy.
If they are not using the "extra" data they are collecting then they just write crappy software, and this would explain why removing CarrierIQ makes phones faster. But that needs to be investigated, and I am sure there will have been accidents with some data storage systems that happened out of the blue before they could be examined.
Considering that there is clear evidence that Carrier IQ is outputting such event details to the debug log, I think we can safely conclude that this software is "crappy", possibly because of performance as you point out, but mostly because such information could lead to breaches of security.
[ link to this | view in chronology ]
Re: Re: No evidence of transmission
[ link to this | view in chronology ]
http://www.forbes.com/sites/andygreenberg/2011/12/01/heres-the-letter-senator-al-franke n-just-sent-to-phone-rootkit-firm-carrier-iq/
[ link to this | view in chronology ]
Supposedly Verizon phones don't have this
[ link to this | view in chronology ]
What makes you think that the companies will allow that? I'm sure that by now, all the mobile carriers have drawn up new terms of service expressly forbidding any legal action against them. All thanks to SCOTUS.
[ link to this | view in chronology ]
Re:
I feel like this is in the best interest of our great nation.
[ link to this | view in chronology ]
Carrier IQ Software May Be in iOS, Too...
[ link to this | view in chronology ]
Class Action Filed
Filed 12/1/2011
http://paidcontent.org/article/419-samsung-and-htc-hit-by-wiretapping-lawsuit-over-trac king-software/
[ link to this | view in chronology ]
How could any company use the software, if the data isn't transmitted?
[ link to this | view in chronology ]
So that's not surprising that manufacturers of cell phones decided to start their own tracking.
[ link to this | view in chronology ]