Security Researcher Shows That — Despite Carrier IQ's Claims To The Contrary — CarrierIQ Records Keystrokes
from the now-that's-kind-of-scary dept
Remember Carrier IQ? This was the company whose software was installed on a ton of phones out there (mainly from Verizon and Sprint), supposedly to record things like if there are dropped calls or problems or whatnot, but which actually appeared to be a rootkit that could track all sorts of info? Then, remember how, rather than respond professionally to this, Carrier IQ threatened researcher Trevor Eckhart with a copyright lawsuit over this? CarrierIQ eventually backed down… and again insisted that the claims of keystroke logging were simply not true.
Yeah. So. Don’t piss off a security researcher. Eckhart is back with a video showing how CarrierIQ’s software does track keystrokes and sends them to a central server. He demonstrates it recording and sending data, even though Eckhart is logging into something using HTTPS. Of course, when the software is local and tracking keystrokes, HTTPS is meaningless.
By the way, it cannot be turned off without rooting the phone and replacing the operating system. And even if you stop paying for wireless service from your carrier and decide to just use Wi-Fi, your device still reports to Carrier IQ.
It?s not even clear what privacy policy covers this. Is it Carrier IQ?s, your carrier?s or your phone manufacturer?s? And, perhaps, most important, is sending your communications to Carrier IQ a violation of the federal government?s ban on wiretapping?
And even more obvious, Eckhart wonders why aren?t mobile-phone customers informed of this rootkit and given a way to opt out?
I would imagine that lawyers are furiously drawing up a pretty massive class action lawsuit as we speak (if it hasn’t already been filed).
Filed Under: android, keylogger, phones, rootkit
Companies: carrieriq, sprint, verizon wireless
Comments on “Security Researcher Shows That — Despite Carrier IQ's Claims To The Contrary — CarrierIQ Records Keystrokes”
As long as it took you to write this story I figured you were going to let it go. Then when you did write it you left things out. Like statements from the companies from sprint, Samsung, rim, apple, carrier iq. I was really looking for an in depth review of the legality of it all. http://arstechnica.com/tech-policy/news/2011/12/sen-franken-demands-answers-from-carrier-iq-suggests-phone-snooping-violates-federal-law.ars?utm_source=rss&utm_medium=rss&utm_campaign=rss
probably a better source on this topic.
Re: Re:
I also would have liked to have seen you print their reply letter to Mr. Eckhart. Its a real im so sorry letter. http://www.carrieriq.com/company/PR.EckhartStatement.pdf
http://www.carrieriq.com/company/PR.EckhartStatement.pdf
Re: Re: Re:
Well, your first link is to an article that was posted within an hour of this article, so Techdirt would have needed to be clairvoyant to include the content.
Techdirt already posted the reply letter in an earlier article about Carrier IQ, which is linked to in the body of this article.
Your criticisms are uninformed and unwarranted.
Carrier IQ press release translation...
I also like the “translation” of the recent Carrier IQ’s press release found here
Re: Carrier IQ press release translation...
I like that. Translations of that type are needed more often.
Does this not fall under some wiretapping laws? They are spying on you without your knowledge. I doubt that the cell contract covers this depth of record keeping.
Re: Re:
http://arstechnica.com/tech-policy/news/2011/12/sen-franken-demands-answers-from-carrier-iq-suggests -phone-snooping-violates-federal-law.ars?utm_source=rss&utm_medium=rss&utm_campaign=rss
according to what i read is it could but not necessarily there are exceptions in wiretapping laws for the telecoms to troubleshoot services. However since this is a third party working for the telecoms it probably does. Furthermore this software continues to work over a wireless LAN even when the phones cellular is disconnected which means that you are no longer on their networks.
According to Gizmodo Al Frankin has already sent a letter to Carrier IQ. So we shall see. This reminds me so much of Sony and their rootkit a few years back.
Re: Re:
So then we’ll just get a new FISA with this shit grandfathered in.
Hooray for the republic!
Re: Re:
Wiretappings laws, how quaint.
For those with Android phones who are worried, this may help. I found out that my phone (N1 running Cyanogenmod) does not have this software. I figured it wouldn’t, but it’s good to have confirmation.
Re: Re:
Cyanogen mod and other roms have been removing this forever since it slows the phone down. Most of them list that it is removed. However not all phones have a bunch of good roms available.
Re: Re: Re:
This Carrier IQ business was enough to get me motivated to root my phone and install the Cyanogen. Loving it so far.
Perhaps I can use this as the cudgel I need to get out of my current contract?
Re: Re:
Won’t hurt to try if there’s nothing covering it in whatever agreement or contract you signed.
Disabling Carrier IQ's software
There are several apps on the Android Market which can be used to disable anything that comes pre-installed by your carrier, including this spy software from Carrier IQ. You do need to root your phone in order to use this kind of tool however.
Re: Disabling Carrier IQ's software
Depending on your phone this is not neccissarily correct because this application is a rootkit. Some phones will not work with stock roms after removal. Even with root access. CIQ is different on each phone. that is why these removal programs are flawed. The best and only way to get rid of it is either switch to verizon -htc. Or root and rom your phone with a custom built rom ie cyanogen or the many others.
Re: Re: Disabling Carrier IQ's software
I’m certainly not an expert on all android phones, but I am running an EVO 4G which is rooted and I can tell you what worked on there. I was able to disable both HTC IQAgent and IQRD using Bloat Freezer. I haven’t tried, but I suspect if Bloat Freezer can do this, then Titanium Backup Pro can also do it.
I did not load cyanogen or any other mod, so I don’t think your statement that you need to do more than root your phone is generally correct.
Note that Mr. Eckhart has called IQRD a rootkit, but it is kind of a lame rootkit in that it doesn’t hide itself when all applications are listed.
Re: Re: Re: Disabling Carrier IQ's software
depends on the phone. http://androidforums.com/galaxy-prevail-all-things-root/455231-do-not-use-treves-ciq-removal-tool.html I tried to explain it to you but its not the same on htc as it is on samsung nor is it the same from froyo to gingerbread. telling people all they have to do is root to freeze it is misleading.
Re: Re: Re:2 Disabling Carrier IQ's software
Alright, to respond to your point, I’ll be more precise:
–>> If you are running a HTC phone, “root to freeze” does disable CIQ, and I have confirmed that it does work with both froyo and gingerbread phones.
The thread you are linking to isn’t discussing ‘root to freeze’. It is talking about a removal tool that Trevor Eckhart has put forward as a solution to the problem. The thread claims that Samsung owners may brick their phone if the CIQ software is removed. “Freezing” bloatware isn’t the same thing as removing the software. Actual removal of a factory installed program is more likely to “brick” a phone since the program is not present to respond to scripting within the boot-up process, whereas freezing merely shuts a pre-installed program down at the end of the boot process.
Perhaps we will hear from someone else who has a rooted phone from another manufacturer?
Re: Re: Re:3 Disabling Carrier IQ's software
I am currently running a rooted Samsung intercept which is why I was interested in the first place. It is running Carrier IQ. I will specifically try your solution tomorrow.
I should qualify myself I am an embedded communications developer for a test equipment manufacturer. With that being said I have never developed on android. But I have developed for Open-embedded Angstrom and TimeSyS linux. What is described in all of the articles is not just some binaries and a couple of processes. Carrier IQ has its hooks in the kernal via kernel patches. this is how it logs keys on a hardware level these loggers “may” not be shut down by disabling the process.
—————-Warning Tinfoil Had Has been Donned———
Furthermore since practically all bootloaders are locked you have no idea what is going on there. If it were me I would have something in the bootloader that could check to see if the process is indeed running and if it is not then to re-install all related items and rename the process.
Like I said I am not an android developer but If I was going to devise something like this for embedded linux I think this would be the way to go. ie. you could have your process write date and time to a location in memory if the bootloader then reads that place in memory and compares it to whats in boot logs. Like I said we do not know what carrier IQ does for sure. We have only scratched the surface. Does carrier Iq do what I said? No probably not but the potential is there. Which could be very scary because even a rom would not necessarily get rid of it. My last android phone was a samsung moment you installed recovery over the regular rom and then you booted into its secondary bootloader to load a rom. So even though samsungs low level bootloader remained untouched it would jump to another bootloader at least that is how I understood it to work. This method would be similar to http://www.absolute.com/en/.
———————-Tin Foil Hat Removed——————
If i am wrong in any way I apologize I just don’t think this is something that should be trivialized. This is why i dont just want it frozen I want to nuke it from orbit its the only way to be sure.
Re: Re: Re:3 Disabling Carrier IQ's software
Bloat/CIQ Freezer by trey Holland is on the market. Claims to freeze CIQ but gives no option to freeze the IQ agent on my phone. Unless its under a different name I think this is a not yet.
Re: Re: Re: Disabling Carrier IQ's software
http://forum.xda-developers.com/showpost.php?p=11763089
the important parts “
Carrier IQ’s native libraries are plainly visible – libiq_client.so and libiq_service.so in /system/lib. During every boot, this service is launched – you can see it in Settings > Applications > Running Services as “IQAgent Service”. These native libraries are called by non-native (Android application) libraries located in ext.jar (the client) and framework.jar (the service). Removal of these (rather obviously-named) libraries alone, be it the .so files or the libraries in framework or ext, will, obviously, break boot. So I had to dig deeper. To make a long story short, reference to the IQ Service and IQ Client were littered across the deepest portions of the framework, and some of the most basic functions of the Android system as we know it.”
Re: Re: Re: Disabling Carrier IQ's software
straight from Trev’s website.
The only way to remove Carrier IQ is with advanced skills. If you choose to void your warranty and unlock your bootloader you can (mostly) remove Carrier IQ. Logging Test App can identify files used in logging and you can manually patch or use Pro version to automatically remove.
Im not entirely sure that freezing it would end it.
Re: Re: Re:2 Disabling Carrier IQ's software
I wish i could edit these and make one long comment. This one in particular needed quotation marks around the middle paragraph.
Re: Re: Disabling Carrier IQ's software
If your running on a verizon phone look for kpi logger, read its permissions… then be worried.
I have a feeling this might be much more common than people would like to think.
interesting reads:
h**p://arstechnica.com/business/news/2011/12/wikileaks-docs-reveal-that-governments-use-malware-for-surveillance.ars
h**p://www.mirror.co.uk/news/top-stories/2011/12/01/wikileaks-julian-assange-tells-iphone-blackberry-and-gmail-users-you-re-all-screwed-115875-23603003/
let’s see what responses there are
In case anyone didn’t want to watch the video but would like a synopsis, it demonstrates Carrier IQ’s software:
-Being difficult to find and impossible to remove
-Recording everything from the power button to the volume control
-Recording every number entered into the dialer (even if you don’t actually call someone)
-Recording the contents of every incoming SMS message before the message is displayed
-Recording the URL of web sites viewed over a WiFi connection (even HTTPS URLs, which are supposed to be encrypted)
-Still running on a phone that no longer has paid wireless service
No evidence of transmission
There is no evidence in Eckhart’s video that this information is being transmitted to Carrier IQ, period. What he was displaying were debug log output from the phone.
Writing these captured events to the debug log is not a good idea, and is potentially a vector of attack, but is not evidence that Carrier IQ is storing and/or transmitting this data.
Re: No evidence of transmission
It does show that the sCarrier IQ process is subscribed to each keystroke event and receives the data. (Keystrokes, URLs and Text messages Collected)
Its been shown that sCarrier IQ does connect to it’s home servers and send/receive data.
I guess it’s up to you if you trust them to do nothing with data they’ve collected.
Re: Re: No evidence of transmission
This is correct the only truth known is that it collects all data. And sends some logs to CIQ which may or may not contain all of the data.
Re: No evidence of transmission
There is no evidence that it is not transmitted either.
CarrierIQ decided to launch an ill thought out lawsuit to stop people from even looking at their product, to use a creepy idea if you have nothing to hide why complain so loudly. If their intentions were all sunshine and ponies for everyone, they could have made a press release and invited the researcher to see for himself how it all worked so he could ally any fears consumers could have had. Instead they made a lame attempt to shut him up, backpedaled once they law was explained to them, and now we can see large amounts of data being recorded.
I found a statement from Verizon about not using them to be telling. They do not use CarrierIQ or CarrierIQ data. Why would they make a statement worded as such? We have no connection to CarrierIQ would have covered the topic, but to point out we don’t use the software or their data seems to suggest you could have access to either. Of course they went quiet when asked if they had a program similar to CarrierIQ on their phones.
If they are not using the “extra” data they are collecting then they just write crappy software, and this would explain why removing CarrierIQ makes phones faster. But that needs to be investigated, and I am sure there will have been accidents with some data storage systems that happened out of the blue before they could be examined.
Re: Re: No evidence of transmission
There is no evidence that it is not transmitted either.
In a free and democratic society, when someone accuses another of wrongdoing it’s customary to require the accuser to prove their claims, not require the accused to disprove them.
CarrierIQ decided to launch an ill thought out lawsuit to stop people from even looking at their product, to use a creepy idea if you have nothing to hide why complain so loudly. If their intentions were all sunshine and ponies for everyone, they could have made a press release and invited the researcher to see for himself how it all worked so he could ally any fears consumers could have had. Instead they made a lame attempt to shut him up, backpedaled once they law was explained to them, and now we can see large amounts of data being recorded.
Sigh, where to begin with this?
1. No lawsuit was filed. A demand letter was sent by Carrier IQ. A reply declining the demand was sent by EFF. Another letter from Carrier IQ was sent, apologizing and retracting their demands.
2. Complaining loudly?no matter how rude, obnoxious or misguided?is not evidence of wrongdoing.
3. In the video, all we see is the debug output of a program running on a phone. Until there is evidence that this software is storing and/or transmitting this data, it seems reasonable to ask tough questions about the design of this software, though not not to conclude that massive breaches of personal privacy are taking place.
I found a statement from Verizon about not using them to be telling. They do not use CarrierIQ or CarrierIQ data. Why would they make a statement worded as such? We have no connection to CarrierIQ would have covered the topic, but to point out we don’t use the software or their data seems to suggest you could have access to either. Of course they went quiet when asked if they had a program similar to CarrierIQ on their phones.
You ask the question, implying we should conclude that either Verizon knows Carrier IQ is malware, or they ship malware of their own. The simpler explanation seems to be that they just don’t want to have anything to do with this controversy.
If they are not using the “extra” data they are collecting then they just write crappy software, and this would explain why removing CarrierIQ makes phones faster. But that needs to be investigated, and I am sure there will have been accidents with some data storage systems that happened out of the blue before they could be examined.
Considering that there is clear evidence that Carrier IQ is outputting such event details to the debug log, I think we can safely conclude that this software is “crappy”, possibly because of performance as you point out, but mostly because such information could lead to breaches of security.
Re: Re: No evidence of transmission
Well, at least the Carrier IQ thing explains why my gig of data is always insufficient.
It looks like Senator Al Franken is getting involved:
http://www.forbes.com/sites/andygreenberg/2011/12/01/heres-the-letter-senator-al-franken-just-sent-to-phone-rootkit-firm-carrier-iq/
Supposedly Verizon phones don't have this
If there is a class action suit, I would like to be in on it even though Verizon apparently doesn’t use Carrier IQ. These guys and anyone involved in putting this on phones should spend a long time in jail over this. This is bullshit!
I would imagine that lawyers are furiously drawing up a pretty massive class action lawsuit as we speak (if it hasn’t already been filed).
What makes you think that the companies will allow that? I’m sure that by now, all the mobile carriers have drawn up new terms of service expressly forbidding any legal action against them. All thanks to SCOTUS.
Re: Re:
This is off-topic in the extreme, but is there some way that we can fit a word starting with “R” into that acronym so that it will be “SCROTUS?”
I feel like this is in the best interest of our great nation.
Carrier IQ Software May Be in iOS, Too...
…http://yro.slashdot.org/story/11/12/01/1418245/carrier-iq-software-may-be-in-ios-too
Class Action Filed
It didn’t take that long….
Filed 12/1/2011
http://paidcontent.org/article/419-samsung-and-htc-hit-by-wiretapping-lawsuit-over-tracking-software/
How could any company use the software, if the data isn't transmitted?
Of COURSE, the data is transmitted! How on earth can the three companies who admitted to using the software to improve their services actually use it, if the software doesn’t report back to Carrier IQ? And the person who blew this wide open stated that the software continues to report back to CIQ, even if you cancel your wireless service. If you are going to give CIQ the benefit of the doubt, and claim they can’t be guilty of anything, until they are found guilty, then let’s give this guy the same benefit of the doubt, and not call him a liar, until a lie is proven. CIQ has already been caught lying about recording keystrokes, so why not give this guy more credence than them? Will he lose a whole company, if he’s lying? Will CIQ? Hmmm.
Hard to say that I’m surprised. It’s a well known fact that mobile providers can and are tracking mobile phone users. That’s really easy to do because cell phones send signals to base stations to reveal their location to the network.
So that’s not surprising that manufacturers of cell phones decided to start their own tracking.