backtop


Print 24 comment(s) - last by Thomaselite14.. on Dec 7 at 9:18 AM

App has minor issues stemming from poor implementation, but appears to be honest effort at metrics collection

[Update 12/5/2011 12:28 p.m.]

A lot of people seem to be misunderstanding my commentary as excuse making for Carrier IQ.  That is absolutely not the case.  Here is a recap of my points in a shorter format, as supported and explained by my research below:

1. Does Carrier IQ adversely affect your phone?

Yes.  It drains your battery.

2. Is Carrier IQ a security threat?

Yes, but only in Android if you install apps that have debug permissions.  It's generally a good idea to excercise extreme caution installing any Android app with these permissions.  While Carrier IQ goes beyond most apps in publishing a lot of sensitive information (dialed numbers, sms contents, plain-text urls) to the debug log stream, Google Inc.'s (GOOG) core apps already share too much to this stream.

For example, when you resume the default webkit browser and navigate to a URL, it sends an activity message in the debug stream listing the URL.  Likewise, Google's location app periodically publishes your lattitude and longitude to the stream, if location services are enabled.

In that sense debug permissions are already a security flaw/threat in Android and Carrier IQ excacerbates this flaw by poor implementation?

3. Is Carrier IQ a privacy risk?

It's here I diverge with many commentators.  I feel that as far as its core functionality goes, Carrier IQ is not a privacy risk, inherently.

Carrier IQ does gain access to a lot of phone-traffic related info, which it may be passing on to your carrier and/or the device maker in some form.  But I feel that's not really a serious privacy risk.  Your carrier and the operating system maker already extract this information in some form.  You know that by the fact that the OS maker can target ads at you and that the dialed phone numbers and sms contents are accessible via your carrier.

There is a second hand privacy risk from third parties watching the debug stream, due to the security flaw outlined above.

4. If you acknowledge Carrier IQ is bad, why do you criticize past commentary?

I'm not disputing that Carrier IQ's poor implementation creates security risks.  My own research shows this explicitly.  It absolutely raises risks in Android.  My point is that past pieces have an unfortunate tendency to focus on non-issues or fail to properly qualify what Carrier IQ is doing, cheapening the real problems here, and makes some sources' commentary look alarmist.  These issues with past commentary also add to reader confusion, making it harder for for readers to properly weight their options.

The perfect example of misleading commentary is calling the app a "rootkit".  It's not a rootkit.  It was installed by your phone's administrators -- the carrier and/or the device makers.  Thus it's an administrative tool, not a rootkit, by definition.

Another example is the focus on keylogging in the phone dialer app.  

The issue is not that it logs the numbers you dialed.  This info typically comes from device-maker specific implementations of the dialer app, so the device-maker obviously has access to this information -- that's not a surprise.  And there's no evidence that it's keylogging elsewhere.  The issue is that it's making this info available to parties on the debug stream who don't have proper permissions.

Thus the real problems here are not so much in the app's data collection, but again #2 -- the fact that this information is inappropriately published to the debug stream.

5.  Are all Carrier IQ Versions the same?

Absolutely not.  Early reports indicate the version found on some iPhones lacked the dialer logging and sms transcription capabilities.  The idea behind Carrier IQ isn't bad, it's the implementation that's seriously botched in Android's case at least, so it's important to objectively examine each implementation on a per-platform basis and see if they have the same issues.

6.  Should you remove Carrier IQ?

I would advise doing one of two things. 

a) Contact your device maker and complain about the security flaw in this app and demand a fix.  Until the fix arrives, don't install any apps with debug permissions and review any preexisting apps, uninstalling those with debug permissions. (If you do this the security risk will be negated.)

b) Take responsibility of your own fate and root your device.  Follow freely available tutorials and remove the IQ product family from your device.  But beware that in becoming master of your device, you've voided your warranty (though it may be possible to install a stock carrier ROM to obfuscate this fact should a repair be needed).

7. Did Carrier IQ "discoverer" Trevor Eckhart do a good job analyzing the case?

First and foremost, we should all thank Trevor for bringing this problem to the world's attention.  That said, Mr. Eckhart's commentary is the source of a major inaccuaracy -- calling Carrier IQ a rootkit -- and fails to qualify the extent of the keylogging leading to confusion understanding the true problem (see #2 and #8) here.

8. Is there a bigger picture here?

Yes.  There's a big security flaw in Android, in that Android allows apps with certain permissions to publish sensitive information that's dependent on those permissions to the debug stream.  Android should ensure that apps accessing the debug stream can only see information that they have permissions for.  It would be trivial to add an extra field to the debug logging, similar to the priority tag (i.e. the "V"/"I"/"E", etc. you see attached to messages).

Hope that clears things up about my perspective, based on my research.

----------------------------------------------------------------------------------

Since Friday I've been digging into the controversy sound Carrier IQ.  Carrier IQ is a remote monitoring app that's been installed on a host of smartphones, including -- reportedly -- some iPhones and many Android phones.  Some carriers like Verizon refuse to use the service while others embrace it.

I. Carrier IQ: Good or Evil?

What is the point of remote monitoring?  Carrier IQ states:

Carrier IQ is the market leader in Mobile Service Intelligence solutions that have revolutionized the way mobile operators and device vendors gather and manage information from end users. With Carrier IQ’s unique ability to provide detailed insight into service delivery and user experience, you can achieve your strategic goals more efficiently and effectively, based on data drawn directly from your subscribers’ devices – the place where your customer actually experiences the service.

Well that sounds fair enough as long as it's not spying on anything it shouldn't be, right? Well that's where IT worker-turned-security researcher Trevor Eckhart, 25, stepped in.  He posted commentary indicating:

Carrier IQ (CIQ) sells rootkit software included on many US handsets sold on Sprint, Verizon and more.  Devices supported include android phones, Blackberries, Nokias, Tablet devices and more.

Wikipedia describes a "rootkit" as:

A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications. The term rootkit is a concatenation of "root" (the traditional name of the privileged account on Unix operating systems) and the word "kit" (which refers to the software components that implement the tool). The term "rootkit" has negative connotations through its association with malware.

But Mr. Eckhart himself acknowledges that carriers and hardware makers install the app on your phone.  That brings us to his first fundamental misunderstanding.

You are not the administrator of your phone.

You do not have root access without resorting to widely available hacks.  The actual administrators of your phone are your carrier, your device maker, and your operating system maker (e.g. Google), unless you take matters into your own hands.  For the average smartphone user, you are merely that -- a user.  You may not like that, but that's the nature of how these devices are sold and work today.

Dan Hesse, Sprint iPhone
You are not the administrator of your phone unless you root it; most users prefer to let their carrier, device maker, and operating system maker play administrator for them.
[Image Source: Ellis Hamburger]

As the administrator of your phone installed this software, it's a pretty big stretch to call it a rootkit.  Maybe if the phone was sold rooted, and then somehow hardware makers or carriers actively attacked customers' phones in the wild in an effort to install unwanted software, this would fit the definition.  But that's absolutely not what's happening here.

II. Carrier IQ "Sinisterly" Logs Metrics

Second, there's no escalation of privileges, as far as we could see here.  You must understand that Android is a very permissive operating system.  If you ask for enough permissions you can see users' phone calls, see hardware information, or even see what URLs are being typed in the browser.  The issue is that most users and new developers -- like Mr. Eckhart -- don't realize this.

It's easy to duplicate Mr. Eckhart's debugging test, which he gives in a video here:


We did.  I own an HTC Evo 4G by Taiwan's HTC Corp. (TPE:2498) -- the predecessor to the model Mr. Eckhardt owns -- so I installed CatLog and carefully logged in a variety of scenarios and actions.  Here's what I found.

HTC Evo 4G

Most of the things logged by Carrier IQ are exactly the kinds of things you would expected from a logging program. Here are some examples, straight from logs:
 

UI08: Signal Strength
 
Five Bars:
 
12-03 18:23:51.707 V/AgentService_J(8784): Action[2693]:com.htc.android.iqagent.action.ui08
12-03 18:23:51.707 I/HTC_SUBMITTER_C(8784): actionUI08 metric:5, 3
12-03 18:23:51.707 V/AgentService_J(8784): (0)ASU, TECH:5, 3
...
12-03 18:23:51.707 D/StatusBarService(8787): updateIcon slot=phone_signal index=20 viewIndex=15 old=StatusBarIcon(pkg=com.android.systemui id=0x7f020011 level=0 visible=true num=0 ) icon=StatusBarIcon(pkg=com.android.systemui id=0x7f020011 level=0 visible=true num=0 )

Well, I honestly don't care very much if it's logging my signal strength.  That's hardly a catastrophic violation of my privacy.

Another example seems to log whenever you land on the home screen (via a power button press, a back button press, a home button press, etc.).  Here's the debug message:

UI19: Face Button Pressed

Button Press (power button screen off) (ID:-1885129974; shared with other presses)

12-03 18:22:55.963 V/AgentService_J(8784): Action[2632]:com.htc.android.iqagent.action.ui19
12-03 18:22:55.963 I/HTC_SUBMITTER_C(8784): (0) submitUI19:-1885129974,0
12-03 18:22:55.963 V/AgentService_J(8784): (0)ui19_dwAppID:-1885129974,ui19_ucFocusEvent:0
...
12-03 18:22:56.023 D/KeyguardViewMediator(135): wakeWhenReadyLocked(26)

Again, nothing overly sinister here.

III. Carrier IQ's Most Evil Functionality of All

So what's the worst that I discovered?  Well, I did notice signs of some keylogging in one -- and only one -- place.  It logs your keypresses inside the phone app:

"3" Button is Pressed on the virtual keyboard in the Dialer app

12-04 13:02:41.130 V/AgentService_J(8784): Action[4587]:com.htc.android.iqagent.action.ui01
12-04 13:02:41.140 D/dalvikvm(394): GC_CONCURRENT freed 871K, 48% free 3931K/7559K, external 1312K/1772K, paused 3ms+6ms
12-04 13:02:41.150 I/HTC_SUBMITTER_C(8784): actionUI01:51,0
12-04 13:02:41.171 D/AudioSystem(12022): linearToSpecifyHtcVolume(volume:0, streamType:1, audio_devices:2)
12-04 13:02:41.171 D/AudioPolicyManagerBase(12022): volume after AudioSystem::linearToSpecifyHtcVolum: -1.000000
12-04 13:02:41.171 D/AudioPolicyManagerBase(12022): volume after AudioSystem::linearToLog: 0.000000
12-04 13:02:41.171 I/HTC_SUBMITTER_C(8784): (0) convert01:51,0
12-04 13:02:41.181 D/HtcDialer(394): User pressed key with keyCode: 10
 
(51 is the Javascript keycode for "3".)

But there are a couple of important things to notice here.  First, while Carrier IQ may be negligent in dumping your keypress to the log (making it visible by the debugger), it definitely is not the only one to do this -- the HTC Dialer app, which you're using to dial the number (in the above example pID) -- also does this. 

And is it really so shocking that your carrier and/or device maker is/are keeping track of the numbers you dial?  If that shocks you, do me a favor and look up your phone bill and go to the section where it lists ALL of the numbers you dialed from your cell phone.  This may be "keylogging", but it's hardly rootkit malfeasance.

Now Mr. Eckhart unfortunately fails to qualify exactly how far the keylogging went.  Well we tested this on our EVO 4G.  And let us be clear what we found.

For a standard, not rooted HTC smartphone, there are NO signs of keylogging in the debug log stream when typing with the virtual keyboard inside apps and the browser.  Again, the only place where keylogging is occurring is inside HTC's own dialer app.

In this light the "keylogging" looks far less sinister.  Your phone isn't logging your passwords, usernames, and messages.  It's merely keeping track of the numbers you dial, something your carrier tracks anyways, and something that third-party apps have the permission to request access to in Android.

IV. Google to Blame for HTTPS Encryption Breach, Not cIQ

Now we did find one other capability of Carrier IQ.  It can read the URLs that you enter in your browser:

(I went to Google search  for "aaaaaaaaaaaaaaaaaaa"

[4421]:com.htc.android.iqagent.action.nt10
12-04 13:01:11.223 I/HTC_SUBMITTER_C(8784): (0) actionNT10:0,-1,200,4,0,0,7,http://www.google.com/s?hl=en&sugexp=ppwe&cp=19&gs_id=24&xhr=t&q=aaaaaaaaaaaaaaaaaaa&pf
=p&sclient=psy-
ab&source=hp&pbx=1&oq=&aq=&aqi=&aql=&gs_sm=&gs_upl=&bav=on.2,or.r
_gc.r_pw.,cf.osb&fp=e742f5cef32fb4f8&biw=833&bih=1388&tch=1&ech=3&psi
=TrXbTtakL42BqAGf16zkDQ.1323021660374.1

12-04 13:01:11.223 V/AgentService_J(8784): (0)Size:0,SocketID:-
1,Type:200,AppType:0Mode:7,URI:http://www.google.com/s?
hl=en&sugexp=ppwe&cp=19&gs_id=24&xhr=t&q=aaaaaaaaaaaaaaaaaaa&pf
=p&sclient=psy-
ab&source=hp&pbx=1&oq=&aq=&aqi=&aql=&gs_sm=&gs_upl=&bav=on.2,or.r
_gc.r_pw.,cf.osb&fp=e742f5cef32fb4f8&biw=833&bih=1388&tch=1&ech=3&psi
=TrXbTtakL42BqAGf16zkDQ.1323021660374.1(from:com.android.browser)
12-04 13:01:11.293 D/StatusBarPolicy(8787): onSignalStrengthsChanged
12-04 13:01:11.293 D/StatusBarPolicy(8787): iconIndex=1
12-04 13:01:11.293 V/StatusBarPolicy(8787): cdmaLevel:5;max:6
12-04 13:01:11.293 D/StatusBarPolicy(8787): iconLevel:5
12-04 13:01:11.303 D/StatusBarService(8787): updateIcon slot=phone_signal
index=20 viewIndex=15 old=StatusBarIcon(pkg=com.android.systemui
id=0x7f020012 level=0 visible=true num=0 )
icon=StatusBarIcon(pkg=com.android.systemui id=0x7f020011 level=0
visible=true num=0 )
12-04 13:01:11.313 V/AgentService_J(8784): Action

Okay, so Carrier IQ does keep track of what webpages you visit.  Again, if you think your carrier/device maker keeping track of what webpages you visit is shocking, you're relatively naive.  They're who is handling your traffic.  Of course they have access to this information on multiple levels.

Now Carrier IQ does do one "bad" thing -- if you navigate to a secured (https) webpage, it displays the uncensored path/command string after the domain name.  As Mr. Eckhart points out, this could contain the username and/or passwords on some sites.  However, testing with several sites, we found that while it did in some cases show the username, it never showed the password.

Normally only apps must request special permissions to view the most recent browser state (via the history) and https is properly censored within the cache.  In that sense cIQ does represent somewhat of a risk, but only if you install apps that were awarded debug privilege.

A final note is that Carrier IQ's frequent polling may adversely affect battery life in some devices.  If there's one most compelling argument against the app, it's that it likely is a major source of battery drain while the phone is "hibernating".

V. Legality of Carrier IQ

Now let us talk briefly about the legality of OEMs like HTC or various carriers preloading Carrier IQ unbeknownst to the user.  First, when you purchase a device you enter into end user license agreement (EULA) from the device-maker.  I'm guessing the provisions about monitoring metrics is listed somewhere in there.  Second, you also enter into a signed contract with your carrier, who again likely lists Carrier IQ somewhere in the fine print. (Sprint Nextel Corp. (S), one user of Carrier IQ, says exactly this -- that it's covered by their contract agreement.)

Thus you likely have "agreed" to monitoring whether you realize it or not. And based on our research above, this monitoring isn't exactly intentionally abusive.  

Now we do have to scold Carrier IQ for failing to respect the user's request to turn off bug logging in operating system settings.  This may just be sloppy implementation, but it certainly gives the appearance of violating a user's wishes.  In this case it is typically the phone administrator (HTC) violating the wishes of a user (the customer).  While this is not uncommon in IT settings, in this case Carrier IQ and its partners should have been a bit more sensitive, if nothing else to be respectful of the wishes of users, who often have the false impression that they are their device administrators.

We also have to scold Carrier IQ, et al. for the things they publish to the debug stream (e.g. URLs, keypresses in the phone app, SMS text contents, signal strength, etc.).  This poor implementation means apps that have debugging access can circumvent Google's permissions and gain information to these pieces of data without asking permission to.  

Again, to be clear these are all things that apps CAN ask permission for.  But the issue with Carrier IQ's sloppy implementation is that it allows malicious apps to circumvent the permissions request process.  Additionally Carrier IQ may be harming the very battery life it's seeking to monitor.

But it's important not to overstate the harmfulness of Carrier IQ by speaking in vague generalities as Mr. Eckhart and others have done.  And it's important also not to overlook third parties' role as administrators of most users' smartphones.

Should your root your phone and remove Carrier IQ?  If you're willing to drop out of your warranty by rooting and risk possibly damaging your built-in services (many of which are implemented by your device maker) feel free.  But beware that while Carrier IQ's sloppy implementation may raise some minimal security concerns, it does not general appear to be trying to play "Big Brother" or at least if it is, it does a very poor job at it.

Android owners should be far more concerned by what their core system apps from Google are publishing to permitted apps, and to the debug screen.  Stay tuned for our follow-up for more details on that.

VI. Should You Trust a Biased Party?

And as a final note I'd like to point out that its somewhat disingenuous for Mr. Eckhart to be profiteering [Android Market] off his discovery of Carrier IQ by selling an app that watches its activity.  After all you can see most of the same metrics by downloading the completely free, aforementioned Cat Log, and simply doing a search for "iq".  I'd say the fact that Mr. Eckhart is profiting off of villainizing/misrepresenting Carrier IQ calls into question his ability to function as an unbiased researcher, in some sense.

Android Market -- Test App

I'm not saying that Mr. Eckhart is intentionally misrepresenting cIQ for profit, just pointing out that he risks the appearance of it seeming that way by selling a product that solely focuses on Carrier IQ.  

By contrast most antivirus software makers focus on general detection and removal of a broad range of applications for this exact reason -- to avoid the appearance that they're profiting off of solely targeting/scapegoating one application.
 
Mr. Eckhart has done smartphone owners a favor by bringing some of the security risks created by Carrier IQ to light.  But by resorting to unqualified hyperbole (e.g. suggesting it's a rootkit and implying that it logs all keystrokes), he risk delegitimizing the important research he did.


Comments     Threshold


This article is over a month old, voting and posting comments is disabled

take some of your own advise
By invidious on 12/5/2011 11:11:58 AM , Rating: 5
quote:
I'm not saying that Mr. Eckhardt is intentionally misrepresenting cIQ for profit, just pointing out that he risks the appearance of it seeming that way by selling a product that solely focuses on Carrier IQ.
His actions speak for themselves, just tell us what he did. You don't need to tell us how we might want to think about it. After all it might call into question your ability to function as a non-biased journalist...




RE: take some of your own advise
By lewisc on 12/5/2011 1:01:30 PM , Rating: 3
I find the nature of this article quite strange. For one, I was surprised that nothing was posted about this last week, when the rest of the media picked up on this story. Then, when something is reported, we get a 'research' piece, which reads to me more like an editorial in defence of Carrier IQ, rather than a news story reporting the facts, as Invidious points out.

Perhaps posting this as research rather than news gives Mr. Mick greater editorial licence, but generally speaking I expect a news source first reports, then editorialises.

I wonder whether such a defensive approach would have been taken if this software were found to operate in a more invasive manner on Apple products, rather than on Android devices, as seems to be true in this case? I like to hope this would be the case, as I would hope the author to apply a similar approach to his reporting, irrespective of vendor. However, given the articles generally written by Mr. Mick where Apple is concerned, I have concerns that such an approach would not be adopted.


RE: take some of your own advise
By lewisc on 12/5/2011 1:09:14 PM , Rating: 2
As much as I dislike to double-post, I should acknowledge that, in the time it took me to read and then respond to the original article, the author has posted an update to clarify his position.

I still question whether a similar approach would have been adopted if the flaw affected iPhones more seriously than Android products. Thanks to Mr. Mick though for making his stance clearer.


RE: take some of your own advise
By JasonMick (blog) on 12/5/2011 1:21:49 PM , Rating: 3
quote:
As much as I dislike to double-post, I should acknowledge that, in the time it took me to read and then respond to the original article, the author has posted an update to clarify his position.

I still question whether a similar approach would have been adopted if the flaw affected iPhones more seriously than Android products. Thanks to Mr. Mick though for making his stance clearer.

Your welcome, I'm not trying to show bias to Android or offend you or anyone else.

I put a lot of work and research into this piece.

My point is merely that there's a lot of unclear information out there and it's important to understand the real issues in order to solve them.

As they say, knowledge is power.

After watching Trevor's video I came away with the false impression that the app was keylogging usersnames and passwords typed in apps and in web forms. I'm sure many members of the public think that too, having seen that video or read parroted news reports that fail to examine the problem first hand.

I was very surprised/relieved to find that wasn't the case-- that the logging was isolated to the phone app, though I was disturbed by how both Android in general and Carrier IQ, specifically, were abusing the debug stream (and how Carrier IQ was posting plain-text https strings).

I wanted to try to put this situation in perspective so people understand the bigger underlying security issue with Android (debug stream abuse), what exactly Carrier IQ does, and what exactly the problems with its activity are in Android (battery life, debug stream abuse).

I hope that it's apparent from the fact that I'm willing to call Android out on its security demonstrates that I'm willing to assign blame where blame is due, regardless of my personal device preference....


RE: take some of your own advise
By ekv on 12/5/2011 3:15:34 PM , Rating: 2
quote:
I put a lot of work and research into this piece.
Well done. I haven't read too many sources of unbiased information on this issue.
quote:
They're who is handling your traffic.
Perhaps would read better if written like such "It is they who are handling your traffic."


RE: take some of your own advise
By techer on 12/5/2011 11:06:12 PM , Rating: 2
"it might call into question your ability to function as a non-biased journalist..."

That is very true.

Nice effort, but I think he blew his cover when he attempted to redefine the debug log file as a debug (stdio/stderr) stream .

Sounds like writing from a person who has never programmed in a mobile development environment before.

There is a major difference between a log file and a stream. Log files contain messages that are written and saved to a file , while streams are not.

The logcat utility does not stream input from some stdio/stderr stream , the logcat utility reads the message contents that had been written into the system's debug log file .

If he only took the time to read the Android Developer reference guide , he would have learned to use the the right terminology - a log file , not a stream.

http://developer.android.com/guide/developing/debu...

Then he would have realized that every virtual keystroke would not be streamed but recorded, written, and saved to the system's log file. Ultimately, it would only be a matter of time for some secret hidden app to be installed that would be responsible for reading the saved contents of the system's log file and routing the data to some secret remote server.


I wonder how much he was paid?
By danjw1 on 12/5/2011 10:47:55 AM , Rating: 2
I wonder how much he was paid to form this opinion? Sounds like he was bought off to me. CarrierIQ trying to protect their business, which is understandable but you publishing this dribble is questionable.




RE: I wonder how much he was paid?
By JasonMick (blog) on 12/5/2011 1:07:40 PM , Rating: 2
quote:
I wonder how much he was paid to form this opinion? Sounds like he was bought off to me. CarrierIQ trying to protect their business, which is understandable but you publishing this dribble is questionable.

I think you either:
a) Didn't read my commentary too closely and automatically formed some sort of opinion and dismissed it.

...or...

b) Don't properly understand what I'm trying to say for some reason.

If I was paid off by Carrier IQ, why would I be warning that it creates a security risk?

My point is simply this.

Carrier IQ is NOT inherently a privacy risk that the media is making it out to be. The kinds of information that it collects may be the kind of information you don't want third parties getting (e.g. your dialed numbers, text messages, etc.), but it's information your carrier ALREADY HAS.

The issue (which many reports miss -- what I'm trying to clarify here) is that:
a) Android allows apps to publish privileged information to viewable unprivileged apps watching on the debug stream.
b) Carrier IQ fully abuses this security flaw by publishing all sorts of information -- e.g. dialed numbers, sms contents, urls, etc. to the debug stream.

To be clear this is a BIG Android problem, far bigger than Carrier IQ. But Carrier IQ is most definitely a part of the problem.

That said, there's NO KNOWN security risk, even in Android, UNLESS you install apps with debug permissions that can see the information that Carrier IQ stupidly posts.

Carrier IQ does drain your battery by querying your phone on a regular basis.

Customers should either lobby their carrier to plug the security hole or take control of their devices by rooting.

But customers need to realize that when they buy their device they ARE NOT the administrator (this is a common misconception). You only gain administrator rights if you root/jailbreak the device, a perfect legal option as per the amendments to the DCMA. But even if you do so, if you're subscribed to a service, under you service agreement, your carrier is a joint administrator of your device. That's the current legal nature of the relationship.

My overall point was/is that I feel there are issues here and Carrier IQ and its partners DO need to answer for and remedy them. But half truths and exaggerations about the nature of the app and its functionality only add to the confusion and harm.


RE: I wonder how much he was paid?
By danjw1 on 12/5/2011 2:05:16 PM , Rating: 2
They are reading every key press, that is an epic fail. It is beyond a significant security/privacy issue. You too easily excuse what they are doing. If that information isn't making it into the log, why are they grabbing it? Key grabbing is not something any program should engage in. The only exception to this is games where they are grabbing the keyboard for other reasons, and release it when you switch applications. You call it "bad programming", I call it completely out of bounds. Many people are engage in banking with there phone, this kind of security hole in the base firmware is inexcusable. We will have to agree to disagree.

I personally have rooted my phone and installed an Android build without Carrier IQ. If Carrier IQ were to fix the issue and Carriers where to update to the firmware, I might consider moving back to the phones native firmware. But, until then my phone will remain without Carrier IQ. And I would advise anyone else who is concerned at all about security or privacy to do the same.


By JasonMick (blog) on 12/5/2011 4:28:14 PM , Rating: 2
quote:
They are reading every key press, that is an epic fail.

Not sure if your handset has a different version of the software than mine, but I saw no keypress events reported to the debug stream outside of the phone app (which only allows numeric values and a few special characters). It's possible that's what they're using for the browser URL, but the fact that the URL contains stuff you didn't type leads me to believe they're somehow fully scraping the URL off the browser.

It makes sense, though, that the keylogging would be isolated to the dialer app. After all, they (HTC) co-authored that app in my distribution, so it'd be easy for them to create a special permission for their friend app within the Android security framework.
quote:
Many people are engage in banking with there phone, this kind of security hole in the base firmware is inexcusable.

And if I saw it keylogging in the web browser or in apps I'd be more concerned. But I actually tested Chase's banking app and so no key events reported to the debug stream.

And this point its pure paranoid speculation to claim that, unless you have some sort of solid evidence.

As for the web browser, it does broadcast plainttext https strings, but every bank I've ever seen censors its login information in the address bar, when submitting https, so that's not going to compromise your bank account. And again, I saw no evidence in the debug stream of keylogging text field entry in the browser.

Your seemingly paranoid statements here are exactly why it's important to differentiate between the real, researched risk and the unsubstantiated one.


By drycrust3 on 12/5/2011 3:53:15 PM , Rating: 2
quote:
but it's information your carrier ALREADY HAS.

This is an important point Eckhart and others have overlooked! The fact is the carrier's switching system needs to know a whole lot of information, such as your phone number, where you are, and who you want to call, so it can set up the phone call (that's what you pay them for!), and it has to record the date and time and the duration of that phone call (at the end) for billing reasons.


That's not a bug -- it's a feature! x]
By nocturne_81 on 12/5/2011 10:09:37 PM , Rating: 3
Well, I guess not many of you have much experience working with *nix... it's just the nature of the beast. A machine's system log being sent to the carrier, though... that's comparable to my ISP demanding to see the logs on my media server -- just not right.

Assign the blame where it is due -- call your carrier and give them hell.




By MaulBall789 on 12/6/2011 3:40:30 PM , Rating: 2
Agreed. But that would be every carrier, so take your pick.


yeah right
By Jotatsud1 on 12/5/2011 11:05:48 AM , Rating: 4
Sorry Jason bit this article is pure bs. The fact that you give a free pass to all ciq security transpassing as "mistakes" doesnt stick. Im a software developer, that and the https blame on third parties is simply not true.




A security RISK we can do WITHOUT!.
By fteoath64 on 12/5/2011 11:13:00 PM , Rating: 2
Most if not all will WANT this CIQ out of out phones!. It has no business being there because it is eating our resources (battery and CPU cycles) that we DID not authorize. Yeah, the wireless connection might belong to the carrier but we OWN the handset. Hence, the handset make and/or Google should ensure that they give us the choice to enable or disable it. No buts, ifs, or whats!.




By DT_Reader on 12/6/2011 1:58:04 PM , Rating: 2
You don't own anything anymore, you only license it. Hollywood hates the idea of you buying a DVD, they want you to pay a subscription fee for the right to watch a movie. You lease your car, you don't own it. You even used to lease your black rotary dial desk phone; why should today's phone companies (which all come from that Ma Bell background) feel any differently about "your" cell phone? Note that if you want to change phones or plans you have to pay a hefty fee, again because it's their phone not yours.


How about the MONEY$$$$$$ data costs to users???
By bgold2007 on 12/5/2011 11:39:08 PM , Rating: 2
In all the hullabaloo about this NO reviewers or commentators seem to discuss the costs of this surreptitious data gathering. For those of on non-unlimited data plans, how much are we paying to transmit this spyware data? This should be a huge class action lawsuit if the users are paying for these transmittals. Has anyone analyzed this by carrier?




By DT_Reader on 12/6/2011 1:47:27 PM , Rating: 2
I wondered the same thing.
quote:
1. Does Carrier IQ adversely affect your phone?

Yes. It drains your battery.
Really? That's it? You (Jason Mick) can confirm that the data Carrier IQ sends is somehow sent un-metered? If so, how do they manage that? I.e., how can I write my app to send its data un-metered?


splitting hairs
By senbassador on 12/5/2011 6:26:12 PM , Rating: 2
"The perfect example of misleading commentary is calling the app a "rootkit". It's not a rootkit. It was installed by your phone's administrators -- the carrier and/or the device makers. Thus it's an administrative tool, not a rootkit, by definition."

To me, thats splitting hairs. Imagine if regular Windows boxes were sold the same way smartphones are, with MS tech support being the default administrators. Imagine there being no "administrative mode", you not being even able to view the "system 32" folder, opening "task manager" wouldn't show you most of the system processes, but still pretend that they are by showing some of them. Imagine all the services not showing up. Now, imagine if the makers of Windows decided to spend a lot of effort into making it feel like you do have control over the machine without rooting it, ie: still giving you "control panel" and "task manager". If word broke out that there were secret processes and threads deliberately made to hide from task manager (and not just not let you end them) and it was doing something naughty. By all means, people would be all over that, spelling MS with a dollar sign, calling said processes a root kit, the whole nine yards.

Here's a good litmus test as to whether or not a process is a "root kit" or not on an android device. Install an app called "Android Mate" and click on the "Apps Manager" tab. If you can't find a certain App on a non-rooted phone and its a process running in the background, its a rootkit. Hell, even that stupid NASCAR app that came with my phone that I can't get rid of is listed.




Missed Out the Obvious
By Flunk on 12/6/2011 8:58:14 AM , Rating: 2
Why are release applications outputting debug information at all? That seems like a serious security risk to me, as I'm used to using compiler directives (in C# or C++) to disable all debug code before we give the software to the customer.

I realize that Java doesn't have a compiler by default but Android does use one so there is no reason they couldn't have the ability to compile release versions of code without debug information.




Doing us a favor
By Thomaselite14 on 12/7/2011 9:18:54 AM , Rating: 2
I appreciate reading an article that doesn't line up with all the other outlets trying to please public opinion. I see it all the time; a story comes out and the media has a feeding frenzy with no prisoners. Nice one Mr. Mick.




It either logs keystrokes or it doesn't
By adamantinepiggy on 12/5/2011 10:27:55 AM , Rating: 3
Apologize much for poor industry practices? According to even you, (paraphrase) "It logs some keystrokes in certain apps." Looks like a duck, sounds like a duck, and yet you manage go to great lengths to show that what Mr Eckhardt also thinks is a duck is actually a rabbit. Logging every 3rd keystroke, or logging every one of them is still logging at a level that is inappropriate, regardless of what app it's in. Just because other apps do it too, and the user did not read all 20 pages of fine print doesn't mean it should be given a pass.

Mr Eckhardt presented a video showing key presses being logged on a "secure" web connection. That's all I need to know that this CarrierIQ is a rootkit duck (albeit, perhaps a really weak lame one). So either Mr Eckhardt intentionally fooled everyone with a fake video, or CarrierIQ is quacking like a duck. Now you're telling me it's not really acting like a duck and is "OK" because it only does it "sometimes" and not every keystroke, just some of them.




RE: It either logs keystrokes or it doesn't
By adamantinepiggy on 12/5/11, Rating: -1
"Google fired a shot heard 'round the world, and now a second American company has answered the call to defend the rights of the Chinese people." -- Rep. Christopher H. Smith (R-N.J.)

Related Articles













botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki