(Some) Android is Watching you! (maybe)

[Sand]

Uhm, what the fuck!?!?! 

In a 17-minute video posted Monday on YouTube, Trevor Eckhart shows how the software – known as Carrier IQ – logs every text message, Google search and phone number typed on a wide variety of smart phones - including HTC, Blackberry, Nokia and others - and reports them to the mobile phone carrier.

The software always runs when Android operating system is running and users are unable to stop it, Eckhart said in the video.

Any comment Quinton?

And I would love some of our more technically proficient posters telling me how to delete this.
Ive never considered myself technically proficient enough to root a phone, but would doing that get rid of this? Or is the program bundled with the Android OS, so running Android means running it?


Youtube video:
http://youtu.be/T17XQI_AYNo

[caladein]

It just got changed a week or two ago.  It's terrible.

Might want to try setting it to Cozy/Compact.  I think it's great though.  Also a fan of the new Reader interface though so it's probably just me.

[KallDrexx]

Uhm, what the fuck!?!?! 

I skipped around the video so maybe I missed it, but I don't see anywhere where he shows the data is being logged or sent anywhere.  It looks like when devices are in Debug mode it sends debug information out to the standard console, which in this case is through USB with a computer set to receive it.  Not sure what the big deal about that is, it's a standard device debugging system (again, unless I am missing something)

[Sand]

Uhm, what the fuck!?!?!  

I skipped around the video so maybe I missed it, but I don't see anywhere where he shows the data is being logged or sent anywhere.  It looks like when devices are in Debug mode it sends debug information out to the standard console, which in this case is through USB with a computer set to receive it.  Not sure what the big deal about that is, it's a standard device debugging system (again, unless I am missing something)

Start watching at 8:35.
The video producer is the one who turned on the debugger, purposely, in order to show what the CIQ was doing on the screen to show the audience.
CIQ does not equal debugger.

He demonstrates that CIQ is reading your text msgs, before the phone even tells you that you have a new message.
He even demonstrates that CIQ is logging HTTPS information which is supposed to be encrypted, and sending that out via text msgs to somewhere.



Edit-

I dont seem to have this program on my Samsung. But I am curious why a program I did find on my phone called "Network Location" which one assumes, uses nearby wifi networks in order to pinpoint a phone users location for maps or social networking apps, would need permission to:
Add or modify calendar events and send email to guests
Read calendar events
read contact data
write contact data
directly call phone numbers
read instant messages
write instant messages

[MuffinMan]

It just got changed a week or two ago.  It's terrible.

I do remember updating the app but didn't see any visible changes.

[KallDrexx]

Start watching at 8:35.
The video producer is the one who turned on the debugger, purposely, in order to show what the CIQ was doing on the screen to show the audience.
CIQ does not equal debugger.

He demonstrates that CIQ is reading your text msgs, before the phone even tells you that you have a new message.
He even demonstrates that CIQ is logging HTTPS information which is supposed to be encrypted, and sending that out via text msgs to somewhere.

I saw all that.  I'm not sure what your point is though.  I don't even understand how he is most likely sending debugging output to standard output, to help debug issues with it.  Nothing in that video shows it logging anything nor does it show sending any of that information over the network.  To me it looks like it's just sending debug information to standard output, and putting Android in debug mode is causing the standard output to be sent to a console hooked up via USB.

Unless I am missing something....

[Sand]

I don't even understand

Agreed.

Read this story: http://www.wired.com/threatlevel/2011/11/secret-software-logging-video/
Or this: http://www.wired.com/threatlevel/2011/11/rootkit-brouhaha/
Or this: http://www.wired.com/threatlevel/2011/11/rootkit-brouhaha-apology/


But the video's producer quite clearly showed that the software was key logging everything you do and sending it off to Carrier IQ's servers.

[KallDrexx]

Agreed.

Read this story: http://www.wired.com/threatlevel/2011/11/secret-software-logging-video/
Or this: http://www.wired.com/threatlevel/2011/11/rootkit-brouhaha/
Or this: http://www.wired.com/threatlevel/2011/11/rootkit-brouhaha-apology/


But the video's producer quite clearly showed that the software was key logging everything you do and sending it off to Carrier IQ's servers.

You really have no idea what you are looking at do you?  Again, none of those articles show any proof that any information is getting permanently logged or sent abroad. 

It helps to research what you are talking about.  What he is using is a program called logcat, which allows you to read debug system messages for your phone onto your pc.  This is used for debugging purposes, so the developers of CarrierIQ (which admit to counting the number of text messages you read or write, but claim to not look at the contents) know that their code to know when a button is pushed or a text message is received, that it CarrierIQ is aware of it. 

So for example, when any event occurs (button press, SMS received or sent, etc..) CarrierIQ outputs the event to a debug message, so developers know that their system can catch these events for statistics gathering.  Just because they received your SMS message does not inheritable mean they actually look inside of it (they may, but nothing in that video shows that they do).

The HTTPS aspect could easily just be CarrierIQ receiving browser requests from the system itself (either from the browser or Android, depending on how the requests and HTTPS is handled) and outputting the event as an Android debug message prior to the URL being encoded via SSL when sending or after Android unencrypts the URL when receiving data.   Furthermore, not one bit of evidence in that video or articles shows any traffic going over the network. 

All those videos show it to be doing is CarrierIQ gets notified by events in the Android system and it sends event data to the Android debugging system.  It shows now evidence on how it is using the data it is receiving.  It could be malicious, but no one really knows.

[Trippy]

From there, the data — including the content of  text messages — is sent to Carrier IQ’s servers, in secret.

[KallDrexx]

From there, the data — including the content of  text messages — is sent to Carrier IQ’s servers, in secret.

I don't see any evidence of that in the articles or the videos, other than the one line in the Wired article, which could just as easily be an assumption from a journalist. 

[TripleDES]

That's what you get for buying subsidized phones.

[Sand]

Again, none of those articles show any proof that any information is getting permanently logged or sent abroad.  

Strange because both I and the writers at Wired seem to be able to see the same thing. Quote from their article:

The company denies its software logs keystrokes. Eckhart’s 17-minute video clearly undercuts that claim.

The video shows the software logging Eckhart’s online search of “hello world.” That’s despite Eckhart using the HTTPS version of Google which is supposed to hide searches from those who would want to spy by intercepting the traffic between a user and Google.

From there, the data — including the content of  text messages — is sent to Carrier IQ’s servers, in secret.

It shows now evidence on how it is using the data it is receiving.  It could be malicious, but no one really knows.

You're right. We should just trust that they arent doing anything with it we dont want them to.

[Engels]

From there, the data — including the content of  text messages — is sent to Carrier IQ’s servers, in secret.

I don't see any evidence of that in the articles or the videos, other than the one line in the Wired article, which could just as easily be an assumption from a journalist. 

Right, but you're sounding like Sand pulled this out of his posterior, when he didn't. Some clarification would be great, and it would be cool if Quinton could speak to the matter.

Also, with the track record of US phone companies handing over data to DHS without so much as a by your leave due to the patriot act, etc, I don't think suspicion is unwarranted. It may be usage statistics analysis, or it may be marketing, or it may be big brother, but you have to admit that we live in a world where all bets are off in this department.

[KallDrexx]

You're right. We should just trust that they arent doing anything with it we dont want them to.

I don't really care who you trust or don't trust. I'd be suspicious too if I had an Android phone but I wouldn't be going all batshit crazy without actual evidence showing it.  I'm just pointing out that there is a lot of FUD in this article with no actual evidence to back it up, and while they do have some shady practices (not allowing you to uninstall it), there's no evidence showing that they do what the article/video claims they do.  

Logging means different things to different people.  The company is talking that their statistics don't write keystrokes, SMS details, etc.. into their statistics logs, which is fundamentally different than the what the video is talking about, which is the application passing any information it receives from Android and passing it to the Android debug log buffer, which (as far as I can tell) is not a permanent logging destination by default.

Right, but you're sounding like Sand pulled this out of his posterior, when he didn't. Some clarification would be great, and it would be cool if Quinton could speak to the matter.

I could get a blog post published somewhere that showed PC anti-virus programs doing the same type of logging and blow it out of proportion too.  Clarification would be great, I just think the attitude of taking a random video/blog post on the internet and start going crazy about it without critiquing the evidence the original claim was made on is dumb.

[Sand]

I just think the attitude of taking a random video/blog post on the internet and start going crazy about it without critiquing the evidence the original claim was made on is dumb.

Its the lead headline story on Huffington Post right now, not a "random blog post". Obviously some people have been able to see in the video what the creator claims to have seen as well, you seem to be the sole exception.

[MuffinMan]

If it's in the news it must be true then. The media would never overreact about something.

[KallDrexx]

Its the lead headline story on Huffington Post right now, not a "random blog post". Obviously some people have been able to see in the video what the creator claims to have seen as well, you seem to be the sole exception.

Cause false news and FUD never spreads to legitimate news sources  

[Sand]

Its the lead headline story on Huffington Post right now, not a "random blog post". Obviously some people have been able to see in the video what the creator claims to have seen as well, you seem to be the sole exception.

Cause false news and FUD never spreads to legitimate news sources  

I have two legit news sources (Huffington and Wired) saying the video's producer has caught Carrier IQ logging and getting your info/data, versus you (random internet guy) saying he doesnt see it.
I will go with them over you.

Edit:
And Extreme Tech http://www.extremetech.com/mobile/107337-carrier-iq-is-the-best-reason-yet-to-switch-to-iphone
And Geek.com http://www.geek.com/articles/mobile/how-much-of-your-phone-is-yours-20111115/


Oh and the security researcher is the guy who found the first vulnerability on the HTC and forced the company to fix its bugs.

Security researcher Trevor Eckhart has had something of a recent history making people aware of mobile phone vulnerabilities. Eckhart’s recent discovery of the HTC vulnerability that allowed for a potentially malicious app to hop on your mobile data connection and grab network information, possibly even ruin your 4G connection, gave the company cause to stop and fix some of their bugs. Now, Trevor points his talents at a more significant threat to personal information.

From the Geek.com article:

The available information tells us that CarrierIQ is capable of recording:

    Key in HTCDialer Pressed or Hardware Keys: Intent – com.htc.android.iqagent.action.ui01
    App Opened : Intent – com.htc.android.iqagent.action.ui15
    Sms Received : Intent – com.htc.android.iqagent.action.smsnotify
    Screen Off/On : Intent – com.htc.android.iqagent.action.ui02
    Call Received : Intent – com.htc.android.iqagent.action.ui15
    Media Statistics : Intent – com.htc.android.iqagent.action.mp03
    Location Statistics : Intent – com.htc.android.iqagent.action.lc30
These are the intents that we are currently aware of. In fact, CarrierIQ owns a patent that gives them the ability to query just about anything. The patent specifically notes “any user entering data into a browser” as one of the possible functions. If you have a phone with a physical keyboard, the Hardware Keys intent seems to suggest that everything you type could in fact be logged and sent away for analysis.

Once the information is connected on your phone, it is shipped away via HTTPS to the CarrierIQ web portal.

The obvious question that gets asked next is “Who sees this information?” Employees of the companies that pay for Carrier IQ, sure, but how much further does that go? Cooperation with law enforcement? When the information is packaged up and sold to the highest bidder, how much of this information do they see? There is no accountability for this data anywhere. It is recorded, transmitted, and it exists with CarrierIQ. The information shown in these images are for Sprint’s portal, so each of the carriers have their own web portal with their own logins, but we as consumers have no idea who has access to this information.

As to the final question, what are they doing with the info? Ignoring your civil rights. Here is a story of a carrier cooperating with law enforcement, who didnt have warrants as required by law, over 8 million times.
(And another carrier has already admitted to selling the information they get from you as a user to other third party companies.)
http://arstechnica.com/telecom/news/2009/12/sprint-fed-customer-gps-data-to-leos-over-8-million-times.ars

[bhodi]

Stop asking Quinton for his opinion. This is current affairs lawyer shit and even with a gigantic disclaimer of "My views do not necesarially represent the views of my employer" it's just not PC.

[KallDrexx]

One last thing. 

Depending on how obfuscated it is, if you really cared about this you could just unassemble the package and look at the Java source yourself to see if it's doing anything malicious (something no one writing these articles or the original video author has done).  Some comments sprawled around that I have seen from people who have attempted this have not seen anything malicious or outside of the scope of what the company claims to keep metrics of.

[Sand]

have not seen anything malicious or outside of the scope of what the company claims to keep metrics of.

You havent actually read ANY of the articles have you?

What CarrierIQ does is sell the basic software package to the end users (carriers and phone manufacturers) what they do with it or how they manipulate the code from their is all up to them. They decide what information to gather and keep and what to do with it, not CarrierIQ.
Decompiling code isnt going to tell you what a corporation is going to do with your private info once they have it.

Also why look at the code when you can see what its doing in real time? The problem, which you cant seem to grasp, is that its collecting info on you with out your permission (or ability to opt out of) and you have no control over what the end company is doing with that info (including giving it to law enforcement or selling it).

[naum]

From a comment thread on Hacker News regarding this story, with lots of smart posters (not to say there are not smart posters here also :)):

There are a handful of comments here giving CarrierIQ the benefit of the doubt, because the video did not show CarrierIQ sending the logged data over the network.

If you're still inclined to give them the benefit of the doubt, just read the CarrierIQ website.

Their ENTIRE BUSINESS MODEL is based on collecting data about mobile phone users!! Here's a choice excerpt I found on their website after browsing their site for 30 seconds:
Carrier IQ's Mobile Service Intelligence Platform (MSIP)...receives raw data (known as Metrics) from phones and converts them into reliable, repeatable Measures which feed into analytic applications.

Or you can read this comment from a discussion last week where a CarrierIQ recruiter told an HN member that they collect 10s of gigabytes of data PER DAY.

These guys are indeed collecting RAW DATA from actions on your phone. There are tremendous opportunities for abuse here, should CarrierIQ decide to do so. CarrierIQ in blatant violation of privacy norms and could do enormous damage to national security of many countries, conduct corporate espionage, or simply violate the citizens' expectation of privacy when using their phone.

[naum]

Some more reading…

Carrier IQ, which in the second quarter of 2011 passed the petabyte milestone in processed analytics data, enables mobile operators and device manufacturers to gain valuable insights into the customer experience. The company has grown rapidly over its five-year history securing an industry leadership position with a global footprint of 150 million devices enabled to deliver mobile intelligence.

But, really, the logging/transmitting is not the real issue.

(1) An untrusted third party is able to record and report all keystrokes

(2) It was put there at the insistence of the carriers

(3) No easy way for users to turn off without voiding their warranty

[Engels]

oh naum you're just another drama queen ain't ya

[Sand]

From a comment thread on Hacker News regarding this story, with lots of smart posters (not to say there are not smart posters here also :)):

Thanks for that link. I think this quote nailed the problem:

Did you read any of the articles or watch the video?

The guy shows `adb logcat` running and showing CarrierIQ logging keystrokes with their ASCII codes.

(edit: I make no claims about the transmission of data. I merely took "collection" and assumed that if the app was recording (even if not persistently) keystrokes on my phone that it counted as collection. Further, the fact that it can is enough to piss me off, especially since it seems like makers of this type of software have piss-poor track records for their app security)

reply
   
   
pasbesoin 4 hours ago | link

And, as been pointed out repeatedly in discussions about the "security" domain, when you add an ability, you inherently add a vector for that ability to be abused.

Even if "raw data" are not currently being uploaded, how thin is the line between this being turned off and it being turned on? And who is in control of that decision?

At an absolute minimum, the situation demands transparency.

As for me, I'm a step closer to being firmly in Stallman's camp.

Image of CarrierIQ's client UI. Note column "Upload Reason" to include the particularly disturbing SMS_PullRequest_CS.

[Quinton]

Stop asking Quinton for his opinion. This is current affairs lawyer shit and even with a gigantic disclaimer of "My views do not necesarially represent the views of my employer" it's just not PC.

Yeah, pretty much.  At best, when it's not likely give legal or PR heart attacks, I can talk a bit about what we (Google/Android) do and sometimes a bit about why.  Discussing the actions of third parties, legal matters, etc, etc, is a whole 'nother minefield.  Having been deposed a couple times related to various crazy legal actions, I'm not at all interested in repeating the process. ^^

That said, Google does not include or ship CarrierIQ on any lead Android devices (Nexus series phones, original Droid, original Xoom, G1, etc).

In general:

I do strongly encourage folks to bring concerns to the attention of carriers and OEMs who appear to be playing fast and loose with security and privacy.  Customer feedback trends (and/or outrage) is something that these entities pay attention to. 

Often, there is more incompetence than malice afoot.  There have been a couple cases of OEMs leaving debugging code active which drops data like keystroke information into the logs -- very common while debugging keyboard or touchpanel bringup -- and they usually get resolved pretty quickly.

Security researchers and tech bloggers do important work, but also thrive on attention -- it pays to check the details as sometimes things are misunderstood or sensationlized a bit.

[Tale]

logs every text message, Google search and phone number]logs every text message, Google search and phone number

You've already given all your contacts to Google. You've already given everything in your gmail to Google. They can do whatever the fuck they want with it, as long as no-one finds out.

That's Facebook and Apple's situation too. Everybody likes to think there are privacy safeguards, but you should assume all your shit is in their private backups of backups forever.

Carrier IQ is to smartphones as Paul McMullen is to News Of The World. Saying a bit too loudly that which is supposed to go unsaid.

[Lantyssa]

Carrier IQ is to smartphones as Paul McMullen is to News Of The World. Saying a bit too loudly that which is supposed to go unsaid.

Yeah, really.  While it can be a concern, the carriers shouldn't be your primary one.  If you positively do not want your data getting out in the wild, stop using electronics.

[Merusk]

Carrier IQ is to smartphones as Paul McMullen is to News Of The World. Saying a bit too loudly that which is supposed to go unsaid.

Yeah, really.  While it can be a concern, the carriers shouldn't be your primary one.  If you positively do not want your data getting out in the wild, stop using electronics.

That's the route I went! 

[Sand]

logs every text message, Google search and phone number]logs every text message, Google search and phone number

You've already given all your contacts to Google. You've already given everything in your gmail to Google. They can do whatever the fuck they want with it, as long as no-one finds out.

That's Facebook and Apple's situation too. Everybody likes to think there are privacy safeguards, but you should assume all your shit is in their private backups of backups forever.

Carrier IQ is to smartphones as Paul McMullen is to News Of The World. Saying a bit too loudly that which is supposed to go unsaid.

Yes but they tell people what they are taking and you know this up front and have the option of opting out. No one was told about this and you dont have the option of not participating.


Seriously? You are okay with a company uploading a key logger on your phone and your willing to take their word for it that they arent going to do anything wrong with that info, nor will it ever get hacked and used against you? Because you know obvious security threats like this never ever get hacked or used by the wrong people (which include both hackers AND police with out warrants).

[MahrinSkel]

I know how to secure my communications against anyone up to (but not including) the NSA.  I don't do it often, because it's a PITA.  That doesn't mean I want my life to be an open book lying around where anyone might pick it up.

--Dave

[sinij]

Carrier IQ is to smartphones as Paul McMullen is to News Of The World. Saying a bit too loudly that which is supposed to go unsaid.

 If you positively do not want your data getting out in the wild, stop using electronics.

Welcome to the dark side.

[sinij]

I know how to secure my communications against anyone up to (but not including) the NSA.  I don't do it often, because it's a PITA.  That doesn't mean I want my life to be an open book lying around where anyone might pick it up.

Change your name to John Smith and rotate through generic name change every decade or so, because with current trends even obsessive-paranoid people like me can no longer expect privacy, least everyone else.

I think long term solution (2+ generations away) would be assumed legal identities, until then be prepared for no privacy and get discriminated, targeted and such due to complete lack of privacy.

[Trippy]

May be in iOS too:

http://www.theverge.com/2011/11/30/2601875/carrier-iq-references-discovered-apple-ios-iphone

[Pennilenko]

Just one question.....does anyone here, or did anyone ever think anything on a cell phone was ever private?