Research: Carrier IQ Underscores Deeper Hole in Android OS's Security
December 5, 2011 9:41 AM
comment(s) - last by
App has minor issues stemming from poor implementation, but appears to be honest effort at metrics collection
[Update 12/5/2011 12:28 p.m.]
A lot of people seem to be misunderstanding my commentary as excuse making for Carrier IQ. That is absolutely not the case. Here is a recap of my points in a shorter format, as supported and explained by my research below:
1. Does Carrier IQ adversely affect your phone?
Yes. It drains your battery.
2. Is Carrier IQ a security threat?
in Android if you install apps that have debug permissions. It's generally a good idea to excercise extreme caution installing any Android app with these permissions. While Carrier IQ goes beyond most apps in publishing a lot of sensitive information (dialed numbers, sms contents, plain-text urls) to the debug log stream, Google Inc.'s (
) core apps already share too much to this stream.
For example, when you resume the default webkit browser and navigate to a URL, it sends an activity message in the debug stream listing the URL. Likewise, Google's location app periodically publishes your lattitude and longitude to the stream, if location services are enabled.
In that sense debug permissions are already a security flaw/threat in Android and Carrier IQ excacerbates this flaw by poor implementation?
3. Is Carrier IQ a privacy risk?
It's here I diverge with many commentators. I feel that as far as its core functionality goes, Carrier IQ is not a privacy risk, inherently.
Carrier IQ does gain access to a lot of phone-traffic related info, which it may be passing on to your carrier and/or the device maker in some form. But I feel that's not really a serious privacy risk. Your carrier and the operating system maker already extract this information in some form. You know that by the fact that the OS maker can target ads at you and that the dialed phone numbers and sms contents are accessible via your carrier.
There is a second hand privacy risk from third parties watching the debug stream, due to the security flaw outlined above.
4. If you acknowledge Carrier IQ is bad, why do you criticize past commentary?
I'm not disputing that Carrier IQ's poor implementation creates security risks. My own research shows this explicitly. It absolutely raises risks in Android. My point is that past pieces have an unfortunate tendency to focus on non-issues or fail to properly qualify what Carrier IQ is doing, cheapening the real problems here, and makes some sources' commentary look alarmist. These issues with past commentary also add to reader confusion, making it harder for for readers to properly weight their options.
The perfect example of misleading commentary is calling the app a "rootkit". It's not a rootkit. It was installed by your phone's administrators -- the carrier and/or the device makers. Thus it's an administrative tool, not a rootkit, by definition.
Another example is the focus on keylogging in the phone dialer app.
The issue is not that it logs the numbers you dialed. This info typically comes from device-maker specific implementations of the dialer app, so the device-maker obviously has access to this information -- that's not a surprise. And there's no evidence that it's keylogging elsewhere. The issue is that it's making this info available to parties on the debug stream who don't have proper permissions.
Thus the real problems here are not so much in the app's data collection, but again #2 -- the fact that this information is inappropriately published to the debug stream.
5. Are all Carrier IQ Versions the same?
Absolutely not. Early reports indicate the version found on some iPhones lacked the dialer logging and sms transcription capabilities. The idea behind Carrier IQ isn't bad, it's the implementation that's seriously botched in Android's case at least, so it's important to objectively examine each implementation on a per-platform basis and see if they have the same issues.
6. Should you remove Carrier IQ?
I would advise doing one of two things.
a) Contact your device maker and complain about the security flaw in this app and demand a fix. Until the fix arrives, don't install any apps with debug permissions and review any preexisting apps, uninstalling those with debug permissions. (If you do this the security risk will be negated.)
b) Take responsibility of your own fate and root your device. Follow freely available tutorials and remove the IQ product family from your device. But beware that in becoming master of your device, you've voided your warranty (though it may be possible to install a stock carrier ROM to obfuscate this fact should a repair be needed).
7. Did Carrier IQ "discoverer" Trevor Eckhart do a good job analyzing the case?
First and foremost, we should all thank Trevor for bringing this problem to the world's attention. That said, Mr. Eckhart's commentary is the source of a major inaccuaracy -- calling Carrier IQ a rootkit -- and fails to qualify the extent of the keylogging leading to confusion understanding the true problem (see #2 and #8) here.
8. Is there a bigger picture here?
Yes. There's a big security flaw in Android, in that Android allows apps with certain permissions to publish sensitive information that's dependent on those permissions to the debug stream. Android should ensure that apps accessing the debug stream can only see information that they have permissions for. It would be trivial to add an extra field to the debug logging, similar to the priority tag (i.e. the "V"/"I"/"E", etc. you see attached to messages).
Hope that clears things up about my perspective, based on my research.
Since Friday I've been digging into the controversy sound Carrier IQ. Carrier IQ is a remote monitoring app that's been installed on a host of smartphones, including -- reportedly -- some iPhones and many Android phones. Some carriers like Verizon refuse to use the service while others embrace it.
I. Carrier IQ: Good or Evil?
What is the point of remote monitoring? Carrier IQ
Carrier IQ is the market leader in Mobile Service Intelligence solutions that have revolutionized the way mobile operators and device vendors gather and manage information from end users. With Carrier IQ’s unique ability to provide detailed insight into service delivery and user experience, you can achieve your strategic goals more efficiently and effectively, based on data drawn directly from your subscribers’ devices – the place where your customer actually experiences the service.
Well that sounds fair enough as long as it's not spying on anything it shouldn't be, right? Well that's where IT worker-turned-security researcher Trevor Eckhart, 25, stepped in. He
Carrier IQ (CIQ) sells rootkit software included on many US handsets sold on Sprint, Verizon and more. Devices supported include android phones, Blackberries, Nokias, Tablet devices and more.
Wikipedia describes a "
A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications. The term rootkit is a concatenation of "root" (the traditional name of the privileged account on Unix operating systems) and the word "kit" (which refers to the software components that implement the tool). The term "rootkit" has negative connotations through its association with malware.
But Mr. Eckhart himself acknowledges that carriers and hardware makers install the app on your phone. That brings us to his first fundamental misunderstanding.
You are not the administrator of your phone.
You do not have root access without resorting to
widely available hacks
. The actual administrators of your phone are your carrier, your device maker, and your operating system maker (e.g. Google), unless you take matters into your own hands. For the average smartphone user, you are merely that -- a user. You may not like that, but that's the nature of how these devices are sold and work today.
You are not the administrator of your phone unless you root it; most users prefer to let their carrier, device maker, and operating system maker play administrator for them.
[Image Source: Ellis Hamburger]
As the administrator of your phone installed this software, it's a pretty big stretch to call it a rootkit. Maybe if the phone was sold rooted, and then somehow hardware makers or carriers actively attacked customers' phones in the wild in an effort to install unwanted software, this would fit the definition. But that's absolutely not what's happening here.
II. Carrier IQ "Sinisterly" Logs Metrics
Second, there's no escalation of privileges, as far as we could see here. You must understand that Android is a very permissive operating system. If you ask for enough permissions you can see users' phone calls, see hardware information, or even see what URLs are being typed in the browser. The issue is that most users and new developers -- like Mr. Eckhart -- don't realize this.
It's easy to duplicate Mr. Eckhart's debugging test, which he gives in a video here:
We did. I own an HTC Evo 4G by Taiwan's HTC Corp. (
) -- the predecessor to the model Mr. Eckhardt owns -- so I installed CatLog and carefully logged in a variety of scenarios and actions. Here's what I found.
Most of the things logged by Carrier IQ are exactly the kinds of things you would expected from a logging program. Here are some examples, straight from logs:
UI08: Signal Strength
12-03 18:23:51.707 V/AgentService_J(8784): Action:com.htc.android.iqagent.action.ui08
12-03 18:23:51.707 I/HTC_SUBMITTER_C(8784): actionUI08 metric:5, 3
12-03 18:23:51.707 V/AgentService_J(8784): (0)ASU, TECH:
12-03 18:23:51.707 D/StatusBarService(8787): updateIcon slot=phone_signal index=20 viewIndex=15 old=StatusBarIcon(pkg=com.android.systemui id=0x7f020011 level=0 visible=true num=0 ) icon=StatusBarIcon(pkg=com.android.systemui id=0x7f020011 level=0 visible=true num=0 )
Well, I honestly don't care very much if it's logging my signal strength. That's hardly a catastrophic violation of my privacy.
Another example seems to log whenever you land on the home screen (via a power button press, a back button press, a home button press, etc.). Here's the debug message:
UI19: Face Button Pressed
Button Press (power button screen off) (ID:-1885129974; shared with other presses)
12-03 18:22:55.963 V/AgentService_J(8784): Action:com.htc.android.iqagent.action.ui19
12-03 18:22:55.963 I/HTC_SUBMITTER_C(8784): (0) submitUI19:-1885129974,0
12-03 18:22:55.963 V/AgentService_J(8784): (0)ui19_dwAppID:-1885129974,ui19_ucFocusEvent:0
12-03 18:22:56.023 D/KeyguardViewMediator(135): wakeWhenReadyLocked(26)
Again, nothing overly sinister here.
III. Carrier IQ's Most Evil Functionality of All
So what's the worst that I discovered? Well, I did notice signs of some keylogging in one -- and only one -- place. It logs your keypresses inside the phone app:
"3" Button is Pressed on the virtual keyboard in the Dialer app
12-04 13:02:41.130 V/AgentService_J(8784): Action:com.htc.android.iqagent.action.ui01
12-04 13:02:41.140 D/dalvikvm(394): GC_CONCURRENT freed 871K, 48% free 3931K/7559K, external 1312K/1772K, paused 3ms+6ms
12-04 13:02:41.150 I/HTC_SUBMITTER_C(8784): actionUI01:51,0
12-04 13:02:41.171 D/AudioSystem(12022): linearToSpecifyHtcVolume(volume:0, streamType:1, audio_devices:2)
12-04 13:02:41.171 D/AudioPolicyManagerBase(12022): volume after AudioSystem::linearToSpecifyHtcVolum: -1.000000
12-04 13:02:41.171 D/AudioPolicyManagerBase(12022): volume after AudioSystem::linearToLog: 0.000000
12-04 13:02:41.171 I/HTC_SUBMITTER_C(8784): (0) convert01:51,0
12-04 13:02:41.181 D/HtcDialer(394): User pressed key with keyCode: 10
But there are a couple of important things to notice here. First, while Carrier IQ may be negligent in dumping your keypress to the log (making it visible by the debugger), it definitely is not the only one to do this -- the HTC Dialer app, which you're using to dial the number (in the above example pID) -- also does this.
And is it really so shocking that your carrier and/or device maker is/are keeping track of the numbers you dial? If that shocks you, do me a favor and look up your phone bill and go to the section where it lists ALL of the numbers you dialed from your cell phone. This may be "keylogging", but it's hardly rootkit malfeasance.
Now Mr. Eckhart unfortunately fails to qualify exactly how far the keylogging went. Well we tested this on our EVO 4G. And let us be clear what we found.
For a standard, not rooted HTC smartphone, there are NO signs of keylogging in the debug log stream when typing with the virtual keyboard inside apps and the browser. Again, the only place where keylogging is occurring is inside HTC's own dialer app.
In this light the "keylogging" looks far less sinister. Your phone isn't logging your passwords, usernames, and messages. It's merely keeping track of the numbers you dial, something your carrier tracks anyways, and something that third-party apps have the permission to request access to in Android.
IV. Google to Blame for HTTPS Encryption Breach, Not cIQ
Now we did find one other capability of Carrier IQ. It can read the URLs that you enter in your browser:
(I went to Google search for "aaaaaaaaaaaaaaaaaaa"
12-04 13:01:11.223 I/HTC_SUBMITTER_C(8784): (0) actionNT10:0,-1,200,4,0,0,7,
12-04 13:01:11.223 V/AgentService_J(8784): (0)Size:0,SocketID:-
12-04 13:01:11.293 D/StatusBarPolicy(8787): onSignalStrengthsChanged
12-04 13:01:11.293 D/StatusBarPolicy(8787): iconIndex=1
12-04 13:01:11.293 V/StatusBarPolicy(8787): cdmaLevel:5;max:6
12-04 13:01:11.293 D/StatusBarPolicy(8787): iconLevel:5
12-04 13:01:11.303 D/StatusBarService(8787): updateIcon slot=phone_signal
index=20 viewIndex=15 old=StatusBarIcon(pkg=com.android.systemui
id=0x7f020012 level=0 visible=true num=0 )
icon=StatusBarIcon(pkg=com.android.systemui id=0x7f020011 level=0
visible=true num=0 )
12-04 13:01:11.313 V/AgentService_J(8784): Action
Okay, so Carrier IQ does keep track of what webpages you visit. Again, if you think your carrier/device maker keeping track of what webpages you visit is shocking, you're relatively naive. They're who is handling your traffic. Of course they have access to this information on multiple levels.
Now Carrier IQ does do one "bad" thing -- if you navigate to a secured (https) webpage, it displays the uncensored path/command string after the domain name. As Mr. Eckhart points out, this could contain the username and/or passwords on some sites. However, testing with several sites, we found that while it did in some cases show the username, it never showed the password.
Normally only apps must request special permissions to view the most recent browser state (via the history) and https is properly censored within the cache. In that sense cIQ does represent somewhat of a risk, but only if you install apps that were awarded debug privilege.
A final note is that Carrier IQ's frequent polling may adversely affect battery life in some devices. If there's one most compelling argument against the app, it's that it likely is a major source of battery drain while the phone is "hibernating".
V. Legality of Carrier IQ
Now let us talk briefly about the legality of OEMs like HTC or various carriers preloading Carrier IQ unbeknownst to the user. First, when you purchase a device you enter into end user license agreement (EULA) from the device-maker. I'm guessing the provisions about monitoring metrics is listed somewhere in there. Second, you also enter into a signed contract with your carrier, who again likely lists Carrier IQ somewhere in the fine print. (Sprint Nextel Corp. (
), one user of Carrier IQ, says exactly this -- that it's covered by their contract agreement.)
Thus you likely have "agreed" to monitoring whether you realize it or not. And based on our research above, this monitoring isn't exactly intentionally abusive.
Now we do have to scold Carrier IQ for failing to respect the user's request to turn off bug logging in operating system settings. This may just be sloppy implementation, but it certainly gives the appearance of violating a user's wishes. In this case it is typically the phone administrator (HTC) violating the wishes of a user (the customer). While this is not uncommon in IT settings, in this case Carrier IQ and its partners should have been a bit more sensitive, if nothing else to be respectful of the wishes of users, who often have the false impression that they are their device administrators.
We also have to scold Carrier IQ,
for the things they publish to the debug stream (e.g. URLs, keypresses in the phone app, SMS text contents, signal strength, etc.). This poor implementation means apps that have debugging access can circumvent Google's permissions and gain information to these pieces of data without asking permission to.
Again, to be clear these are all things that apps CAN ask permission for. But the issue with Carrier IQ's sloppy implementation is that it allows malicious apps to circumvent the permissions request process. Additionally Carrier IQ may be harming the very battery life it's seeking to monitor.
But it's important not to overstate the harmfulness of Carrier IQ by speaking in vague generalities as Mr. Eckhart and others have done. And it's important also not to overlook third parties' role as administrators of most users' smartphones.
Should your root your phone and remove Carrier IQ? If you're willing to drop out of your warranty by rooting and risk possibly damaging your built-in services (many of which are implemented by your device maker) feel free. But beware that while Carrier IQ's sloppy implementation may raise some minimal security concerns, it does not general appear to be trying to play "Big Brother" or at least if it is, it does a very poor job at it.
Android owners should be far more concerned by what their core system apps from Google are publishing to permitted apps, and to the debug screen. Stay tuned for our follow-up for more details on that.
VI. Should You Trust a Biased Party?
And as a final note I'd like to point out that its somewhat disingenuous for Mr. Eckhart
to be profiteering
[Android Market] off his discovery of Carrier IQ by selling an app that watches its activity. After all you can see most of the same metrics by downloading the completely free, aforementioned Cat Log, and simply doing a search for "iq". I'd say the fact that Mr. Eckhart is profiting off of villainizing/misrepresenting Carrier IQ calls into question his ability to function as an unbiased researcher, in some sense.
I'm not saying that Mr. Eckhart is intentionally misrepresenting cIQ for profit, just pointing out that he risks the appearance of it seeming that way by selling a product that solely focuses on Carrier IQ.
By contrast most antivirus software makers focus on general detection and removal of a broad range of applications for this exact reason -- to avoid the appearance that they're profiting off of solely targeting/scapegoating one application.
Mr. Eckhart has done smartphone owners a favor by bringing some of the security risks created by Carrier IQ to light. But by resorting to unqualified hyperbole (e.g. suggesting it's a rootkit and implying that it logs all keystrokes), he risk delegitimizing the important research he did.
This article is over a month old, voting and posting comments is disabled
A security RISK we can do WITHOUT!.
12/5/2011 11:13:00 PM
Most if not all will WANT this CIQ out of out phones!. It has no business being there because it is eating our resources (battery and CPU cycles) that we DID not authorize. Yeah, the wireless connection might belong to the carrier but we OWN the handset. Hence, the handset make and/or Google should ensure that they give us the choice to enable or disable it. No buts, ifs, or whats!.
RE: A security RISK we can do WITHOUT!.
12/6/2011 1:58:04 PM
You don't own anything anymore, you only license it. Hollywood hates the idea of you buying a DVD, they want you to pay a subscription fee for the right to watch a movie. You lease your car, you don't own it. You even used to lease your black rotary dial desk phone; why should today's phone companies (which all come from that Ma Bell background) feel any differently about "your" cell phone? Note that if you want to change phones or plans you have to pay a hefty fee, again because it's their phone not yours.
"If they're going to pirate somebody, we want it to be us rather than somebody else." -- Microsoft Business Group President Jeff Raikes
HTC Fixes EVO 4G Storage, Security Bugs, Chat Goes Live
June 4, 2010, 9:29 AM
Microsoft Band 2 Stays Focused on Fitness, Debuts Oct. 30, Priced at $249
October 6, 2015, 9:16 PM
Tag Heuer Admits Its $1,800 Smartwatch Was Inspired By Apple -- Price-Wise
September 30, 2015, 6:32 PM
Apple's First Fixes to iOS 9 Land w/ iOS 9.0.1 Release
September 23, 2015, 6:11 PM
Worth the Wait? Microsoft Teases at Windows 10 Flagship Phones to Air Oct. 6
September 15, 2015, 5:13 PM
Big Bug Forces Delay of Windows 10 Mobile Preview Build 10536
September 11, 2015, 8:54 PM
AdultPlayer Android Porn App Blackmails Users With Secret Selfies
September 7, 2015, 5:06 PM
Most Popular Articles
Why the U.S. Won't be Able to Ban Google's New Huawei Marshmallow Flagship Phone
October 3, 2015, 5:27 PM
Apple's First Fixes to iOS 9 Land w/ iOS 9.0.1 Release
September 23, 2015, 6:11 PM
Apple Watch Commands 2 in 3 Smart Watch Sales, WatchOS 2 Sweetens the Pitch
September 20, 2015, 6:07 PM
Tag Heuer Admits Its $1,800 Smartwatch Was Inspired By Apple -- Price-Wise
September 30, 2015, 6:32 PM
Breaking Bad: How to Crash Google's Chrome Browser With Just 8 Characters
September 23, 2015, 11:08 AM
Latest Blog Posts
Sceptre Airs 27", 120 Hz. 1080p Monitor/HDTV w/ 5 ms Response Time for $220
Dec 3, 2014, 10:32 PM
Costco Gives Employees Thanksgiving Off; Wal-Mart Leads "Black Thursday" Charge
Oct 29, 2014, 9:57 PM
"Bear Selfies" Fad Could Turn Deadly, Warn Nevada Wildlife Officials
Oct 28, 2014, 12:00 PM
The Surface Mini That Was Never Released Gets "Hands On" Treatment
Sep 26, 2014, 8:22 AM
ISIS Imposes Ban on Teaching Evolution in Iraq
Sep 17, 2014, 5:22 PM
More Blog Posts
Copyright 2015 DailyTech LLC. -
Terms, Conditions & Privacy Information