dslreports logo
 story category
Follow Up CarrierIQ Video Contradicts Company Claims
Shows Software Tracks Pretty Much Everything
On Monday we noted that a company named CarrierIQ had apologized for threatening security researcher Trevor Eckhart, who had divulged the company was selling a stealth rootkit to carriers that was difficult to detect, even more difficult to remove, and potentially tracked everything done on a wireless device. CarrierIQ's apology (pdf) came after a challenge by the EFF, and insisted that the company's software did not provide tracking tools, did not track SMS or other communications, and didn't record keystrokes. Or does it? Wired directs our attention to a follow up video by the researcher illustrating how the CarrierIQ software tracks encrypted web searches, logs text messages, and records every key pressed on the device.
view:
topics flat nest 

jseymour
join:2009-12-11
Waterford, MI

jseymour

Member

I Think I'll Just Forgo A Not-So-Smart Phone For Now

So now it's revealed that my paranoia about "smart" phones was justified, after all.

I've long resisted them for three reasons: 1. Most importantly, I'll admit: I simply cannot justify nor afford what carriers are charging for data plans. Period. Hell, I sometimes wonder if the $50/mo. we're paying for the two phones we have is justifiable, truth be told. 2. "The Cloud." My data on somebody else's servers? Seriously? I have an app on my Palm Centro called "Palm Keyring." (Used to be called "GNU Keyring.") Every bit of sensitive information for every account of every type I have anywhere is in that keyring. And wireless providers really expect me to store that on servers not under my personal control? Not. A. Chance. In. Hell. 3. No local backup/replication/desktop. I'm forced to rely on them. My phone dies, I'm screwed until I can get another and sync with "the cloud." No. Thanks.

More recently, another concern has cropped up, now reinforced by CarrierIQ and the carriers: Spyware, "legitimate" or not, stealing my data. Quite simply: The more network-enabled a device, the more vulnerable it, and, by extension, your data. My Palm Centro is "off the net," so its data is relatively safe. Plus there's the fact that, from an exploit-vulnerability standpoint, it's lately coming to light that the Android platform is apparently the "new Windows."

Yeah, I think I'll just stick with my Palm Centro for a few (?) more years. Save money. Save my data.

Jim

Anon1592
@cvgs.net

Anon1592

Anon

Re: I Think I'll Just Forgo A Not-So-Smart Phone For Now

Well you could just say screw CIQ and root you phone and back it up with nandroid on you computer no cloud or phone company help needed. And you might say thats a lot of hoops to jump through for a phone but any well versed user with a little research can get it done.

cmadewd
@ldmengineering.com

cmadewd to jseymour

Anon

to jseymour
said by jseymour:

So now it's revealed that my paranoia about "smart" phones was justified, after all.

I've long resisted them for three reasons: 1. Most importantly, I'll admit: I simply cannot justify nor afford what carriers are charging for data plans. Period. Hell, I sometimes wonder if the $50/mo. we're paying for the two phones we have is justifiable, truth be told. 2. "The Cloud." My data on somebody else's servers? Seriously? I have an app on my Palm Centro called "Palm Keyring." (Used to be called "GNU Keyring.") Every bit of sensitive information for every account of every type I have anywhere is in that keyring. And wireless providers really expect me to store that on servers not under my personal control? Not. A. Chance. In. Hell. 3. No local backup/replication/desktop. I'm forced to rely on them. My phone dies, I'm screwed until I can get another and sync with "the cloud." No. Thanks.

More recently, another concern has cropped up, now reinforced by CarrierIQ and the carriers: Spyware, "legitimate" or not, stealing my data. Quite simply: The more network-enabled a device, the more vulnerable it, and, by extension, your data. My Palm Centro is "off the net," so its data is relatively safe. Plus there's the fact that, from an exploit-vulnerability standpoint, it's lately coming to light that the Android platform is apparently the "new Windows."

Yeah, I think I'll just stick with my Palm Centro for a few (?) more years. Save money. Save my data.

Jim

Point #1 is valid but 2 and 3 are not. My Android Smartphone works perfectly find without "the cloud" and by plugging it in via USB cable I have access to all of the data stored on it, without requiring a sync program or anything else to get it. Further my email/contacts/calendar are synced with a server I control, although I could also use something like Gmail, which always allows access to my data via web browser.

Further use of it allows me to replace the need to lug around a laptop just to check email and perform web searches (which for work is essential).

For some having a connected device makes sense when you look at the tradeoffs, for others like yourself, it might not.
kerya666
join:2002-12-20
Valrico, FL

kerya666

Member

This makes me sick...

Absolutely had no doubt that they would do something like this if they could legally, but this still makes me freaking sick to my stomach. I hope all the users sue the hell out of both IQ and providers that employ this without consent and for all the data its been using up.

Despicable, nothing else. And I hope carrier IQ burns in hell along with wireless providers for lying about their software not recording key strokes and etc.

This is a huge security threat!

Any info about AT&T having this on their phones?

TheHelpful1
Premium Member
join:2002-01-11
Upper Marlboro, MD

TheHelpful1

Premium Member

Re: This makes me sick...

said by kerya666:

I hope all the users sue the hell out of both IQ and providers that employ this without consent and for all the data its been using up.

How? AT&T in particular slowly boiled the pot we are all in by getting the power that be to ban class action lawsuits from their users and instead force arbitration via the court in their back yard. Carrier IQ will just say we made the software suite and the individual providers chose what switches to turn on.

CableConvert
Premium Member
join:2003-12-05
Atlanta, GA

CableConvert

Premium Member

Re: This makes me sick...

Thats in a civil case. I think there is criminal potential here, and there is no arbitration for that.

WHT
join:2010-03-26
Rosston, TX

WHT

Member

Call the bluff in a sworn statement

CarrierIQ's press release says,
"Does not record your keystrokes."
"Does not inspect or report on the content of your communications, such as the content of emails and SMSs. "

Would they be willing to give a sworn testimony of this?

tim_k
Buttons, Bows, Beamer, Shadow, Kasey
Premium Member
join:2002-02-02
Stewartstown, PA

tim_k

Premium Member

Patriot Act?

The Feds have been pushing to have back doors into all sorts of devices and data. Perhaps this is their doing.

Smith6612
MVM
join:2008-02-01
North Tonawanda, NY
·Charter
Ubee EU2251
Ubiquiti UAP-IW-HD
Ubiquiti UniFi AP-AC-HD

Smith6612

MVM

Re: Patriot Act?

Wouldn't doubt that at all. I saw a video on this CarrierIQ software running on an Android phone and it makes me wonder, now, on what is needed to kill the software off. Perhaps a custom build of the phone's software may work, but killing it and disabling it I think would be easier for a lot of people to do
Prespd
join:2004-03-10
Wyoming, MI

1 recommendation

Prespd

Member

Re: Patriot Act?

Yeah, but seriously, you also know that there is a "Logging Test App" you can download to your Android flavor, and if rooted donate $1 to the intrepid TrevE to automatically remove the CIQ stuff and other loggers.

So to sum up:
1. root your phone
2. download the following and run backups (Titanium backup, ROM manager
(Optional) download and or flash a new ROM/Kernel without the bloat/rootkit crap
4. Download the "logging test app" and TrevE's "Logging Removal Key"
5. Give TrevE $1 USD to register the license
6. Go into the logging test app and have it remove the CIQ and tracking stuff.

ALL DONE

TrevE, you got my $1 almost immediately.


jap
Premium Member
join:2003-08-10
038xx

jap

Premium Member

Re: Patriot Act?

said by Prespd:

Yeah, but seriously, you also know that there is a "Logging Test App" you can download to your Android

It's good to know but sorta misses the point. Data miners don't care about the under 1% of people that could & would take the measures you mention. It might grow to, what, 3-4% at best and still wouldn't matter.

This is an issue that needs to be addressed by policy and enforced in a manner that has real teeth, not the hollow lip service we get out of gutted & neutered consumer protection agencies.

The reason CarrierIQ exists and flourishes is because corps have rightly concluded it doesn't matter, our society won't do anything so milk it they do. Wash, rinse, repeat.
Prespd
join:2004-03-10
Wyoming, MI

Prespd

Member

Re: Patriot Act?

Yes i totally agree. I am a slight power user and hope that by spreading information we can empower users to protect their own privacy while the larger group can than effect change in policies by the carriers and handset makers.

We should like TrevE says have clear options to Opt in if we desire or a the very least, disable the problem items.

Since when did we become consumers who buy things but take total ownership over the product and how it is used. If auto companies did this, legislation would happen over night.
criggs
join:2000-07-14
New York, NY

criggs to Prespd

Member

to Prespd
Just so you know, I believe I may have defeated mine (which is on a Sprint EVO Shift) without having to root.

If you go to »www.androidhelpers.com/i ··· ic=309.0 you will see that the claim is made that HTC IQAgent is the same as Carrier IQ. And I was able to find it and stop it quickly and easily by going to Menu Settings Applications Running Services and simply stop it.

Am I missing something?

Or am I one of the lucky ones?

Or is »www.androidhelpers.com/i ··· ic=309.0 just plain wrong, and is that not Carrier IQ?

firephoto
Truth and reality matters
Premium Member
join:2003-03-18
Brewster, WA

firephoto

Premium Member

Active since summer 2010

This thing has been on a lot of popular phones for more than a year.

I found this and at the time it was just an annoyance related to batteries dying from the ciq process pegging the cpu.
ricep5
Premium Member
join:2000-08-07
Jacksonville, FL

ricep5

Premium Member

Who is bringing home the data?

Obviously the carriers have to have some sort of method of getting this data back to a server of some sort.

Are they using the SMS/carrier control channel to recover this data or are they using the IP network?

Using the IP network has some other issues like consuming ones data plan and security of the transmission.

Using the SMS channel has a similar security risk, but either way millions of phones all transmitting IQ data back to their hosts.

Perhaps the "bandwidth hogs" they complain so much about isn't the users, it's them.

oldrecord
@verizon.net

oldrecord

Anon

beyond belief

all the companies involved are globally open to

class action lawsuit

wiretap laws (local/state/federal)

privacy laws (including minors)

espionage (can you imagine how many worldwide members of governments, law enforcement, military are affected)

even worse they've open a big hole hackers can use
old_wiz_60
join:2005-06-03
Bedford, MA

old_wiz_60

Member

Government...

is probably involved and gets a copy of the data. The spooks don't care about anything like privacy, search warrants, or any of the Constitutional amendments.

Makes me glad I have a dumb phone.