CIQ

Android hacker and professional security consultant Dan Rosenberg (you may know him as djrbliss from the Internets) has completed his own study on Carrier IQ, and found some interesting results.  All those reports about logging keystrokes and spying on SMS messages look to have been blamed on the wrong party, as his research shows that Carrier IQ as written can only capture the data that the carrier sends to it (known as metrics), and even then still has to consult a profile (think of it as a settings page for any app) that a carrier has had CIQ write specifically for their installation.  In his own words:

Dear Internet,

CarrierIQ does a lot of bad things. It's a potential risk to user privacy, and users should be given the ability to opt out of it.

But people need to recognize that there's a big difference between recording events like keystrokes and HTTPS URLs to a debugging buffer (which is pretty bad by itself), and actually collecting, storing, and transmitting this data to carriers (which doesn't happen).  After reverse engineering CarrierIQ myself, I have seen no evidence that they are collecting anything more than what they've publicly claimed: anonymized metrics data.  There's a big difference between "look, it does something when I press a key" and "it's sending all my keystrokes to the carrier!".  Based on what I've seen, there is no code in CarrierIQ that actually records keystrokes for data collection purposes.  Of course, the fact that there are hooks in these events suggests that future versions may abuse this type of functionality, and CIQ should be held accountable and be under close scrutiny so that this type of privacy invasion does not occur.  But all the recent noise on this is mostly unfounded.

There are plenty of reasons to be upset about CIQ, but please don't jump to conclusions based on incomplete evidence.

Regards,
Dan Rosenberg

So what about all the stuff we see on Trevor Eckhart's video of the EVO in action?  It's obviously there, so what's up with all that?  We're not security researchers, professional or otherwise, but we are nerds who read about exploits and security every day.  The best we can figure is that HTC has exposed those events to the log while sending it as anonymous metric data to the Carrier IQ app.  There's still no evidence, and never was, that any of that data is sent anywhere. 

The biggest thing to take away from this news is that while Carrier IQ is scary, and many of us consider them evil, they only provide a service to collect data that carriers and OEM's make available.  This needs to be made more transparent, because it's never going to go away -- if you don't like it don't use our network, nobody is holding a gun to your head is likely the carriers stance on the subject, and in a way they are right.  Our choice in the matter is to not spend our money with them, and heaven knows I understand how unpopular that idea is firsthand.  But things are looking more and more like the carriers and manufacturers need to share a good bit of the blame here, and this whole mess is over an easy way to collect data they already have been collecting. 

When we get finished here, we can start looking at how the companies who rushed forward shouting "We don't use Carrier IQ on our phones" are collecting the same data with something other than Carrier IQ, so we can be sure that changes are made across the board versus crucifying a small company in Silicon Valley.

Source: Vulnfactory; Pastebin

 
There are 19 comments

frmorrison says:

It is good there are smart people out there to show that it isn't so bad. It still should have an opt-out button.

icebike says:

This needs to be made more transparent, because it's never going to go away

Don't be too sure of that. There is enough interest in Congress in this issue that opt-outs will probably be forced into the phones, or the ability to turn off this type of data collection UNLESS you report a problem to your carrier.

There is no reason for this. The type of data they are collecting is already available to the carrier, WHERE THERE IS A LEGITIMATE NEED, such as with sms, phone calls, etc. They've been billing us with this data for longer than there have been smartphones.

But that 3rd line in your little chart above covers a lot of evil which people seem to gloss over.

If they get the URL of every page you visit that opens up a whole raft of security concerns, because the URL can actually contain a lot more than just the web page address.

So my money is on a legislated opt-out, if not outright ban, on this type of application within a year or two.

StuartV says:

What icebike said. Depending on how a web app is written, just the URL to access it (after you've already hit your first page on the site) CAN contain anything the site wants to put in there - i.e. it CAN contain sensitive, private data.

Synycalwon says:

But, that's a website issue and not isolated to smart phones. It's just poor security practice to include sensitive info in the URL.

icebike says:

True, but nobody else along the path between your handset and the website is authorized to collect this data without a warrant, so why should your carrier get a free pass?

The fact that you visited a specific web site is recorded and sent to the carrier. That makes it available via a subpoena issued to your carrier.

houseofadams says:

Sorry, but I call BS on this. My company router can log this same information, as can every router between me and the web site. At a previous company, I've had people fired for surfing porn, based on the router log (and their browser cache).

Synycalwon says:

If anything, let this be a lesson to all those knee jerk reactionaries and especially those so quick to file lawsuits. Calm down people, wait until you get more facts and perspective before reacting so vehemently.

erwaso says:

Cliff notes?

Carrier IQ can't see all the stuff people claim it can see, unless the people who make the phone and the carrier it's on send it to them first.  The stuff in the log from TrevE's video was put there by HTC.  The Internet jumped all over CIQ, or anyone who said it may not be CIQ to blame, and now we know that it's the OEM's and carriers' fault.

They can get all this data without using CIQ, but CIQ makes it easier.  That's why they use it.  Instead of everyone fighting to get CIQ put out of business, I think we need to focus on how to make ALL data collection of this sort more transparent so that each user knows what's going on.

plunder says:

I was so glad that you and the team clarified matters on the pod-cast and above. If only such transparency and honesty had come from the carriers.

reddragon72 says:

This whole article misses the whole point. Hidden matterial that should never have happened. Spying it spying period. If I walk into any provider I can buy a phone from them outright without contract. But they can still collect data from me. That is wrong, I offer no improvement resources on their network yet I'm still being "spied" on. So the fact that is was hidden no matter what it collects is wrong. The fact that it was hidden and there was no intention to ever notify anyone is wrong. The fact that is collects data off the carrier network(which again offers no help to the carrier for network coverage and other issue) is wrong. And the fact that it collects data that is totally and completely to detailed for the need of improving the network is also wrong. I think carrier IQ and all parties envolved should be burned so this never happens again.

Not one carrier and not one device manufacturer has offered the ability to remove this. And that is wrong again!!! I don't care if it is only counting how many cats I have, it is wrong because it is spying and not being forthwrite. You can take your article and shove it. They are all wrong for doing this and you know so stop trying to sugar coat a pile of crap, because we all know it is. (I was being really nice right there)

Not my job to make up your mind, only to present the information to you along with the alternatives.  And nobody wants to hear that. 

Unlocked phone on a GSM carrier = no Carrier IQ.  Nexus phone = no spyware.  It's not rocket science, and until things change your only other option is root your phone.

slayerpsp says:

Root your phone throw on a custom rom that has this crape removed good to go that's what i do

OLD_HATCH says:

I agree the internet jumped on ciq and not the carriers and manufacturers, but disagree on the fact you have a choice to not purchase a phone with ciq in it. If sprint is my only option for carrier and I want a good touchscreen smartphone im going to be stuck with a device with ciq hidden in it.

If microsoft did this in combination with manufacturers there would be a big stink about it as well.

dman977#AC says:

Actually, neither the Nexus S 4G or the Motorola Photon 4G have CarrierIQ.

http://www.youtube.com/watch?v=wW_i4Qdq1bg

jonyah says:

The only part that really pisses me off is that my phone/tablet is doing more than it has to. Those extra logging procedures may not be much but they add up over time and both slow the device down and kill the battery. Then again my phone are all clean with roms that dont' have this junk on it. But it does explain a little why vanilla android can run so much faster than all that junk that comes out of the box.

plunder says:

If the carriers and phone makers had trusted the user base a little more, they could have had all the data needed without a backlash. People will, quite reasonably, worry about their privacy when data is gathered covertly.

Driven says:

Pinchbeck says:

In a nutshell, regardless of the device, (land line phone, smartphone, email, computer) everything you say and do, is being recorded somewhere by someone, or some agency. Send out enough emails about bombing the White House, and you can bet that Big Brother is going to catch it. (betting this message is getting flagged right now for that last remark)
We cannot, nor will not, ever retain complete privacy. Even rooted devices while they may not have CIQ on them, still transmit every voice or text message to a stadium sized bank of eavesdropping computers.
I dont use my phone for any wrong doing, nor do I keep sensitive information on it, so I really don't care what they collect on me. However, if some terrorist group, or other group of extremist is planning on blowing up my kids school, I am thankful that someone may be watching.
Is this ethical? NO
Is this legal? Patriot act seems to think so.
The only alternative is two cans attached with a string.