(Some) Android is Watching you! (maybe)

[Yegolev]

Hell, I'm pretty sure landlines are insecure.

[Ironwood]

Carrier IQ is to smartphones as Paul McMullen is to News Of The World. Saying a bit too loudly that which is supposed to go unsaid.

Yeah, really.  While it can be a concern, the carriers shouldn't be your primary one.  If you positively do not want your data getting out in the wild, stop using electronics.

That's the route I went! 

But, but, but.

ARG.

 

[Merusk]

Silly Ironwood, the internet isn't electronics! 

Or am I posting via an elaborate proxy web using a carefully cultivated system of false IDs?

At the very least I know I'm not broadcasting my location everywehre via a cell phone, remote car start/ onstar/ lowjack system.

If I were as paranoid as Sinij I'd wonder how he drives anything built after 1994 what with the internal black boxes etc.

[Nerf]

onstar

That shit gives the Rusty Shacklefords of the world fucking nightmares.  Once installed, they can remotely activate the microphones and listen to what's going on inside your car pretty much whenever they want, even long after you've discontinued the service.  I try to not be too  , but I would sure as shit rather drive a car that didn't have that particular functionality hard-wired from the factory.

On the CarrierIQ shit, I'm pretty damned happy to hear that the Nexus devices don't come with it installed, now if Verizon ever actually fucking launches the thing, I can get rid of my big-brother compromised Incredible and go back about my illicit activities.  Don't worry though, I'll still leave the illegal arms dealing to mexican cartels up to the ATF.

[Furiously]

Oh like there are not orbiting satellites recording everything you are doing.

[bhodi]

On the CarrierIQ shit, I'm pretty damned happy to hear that the Nexus devices don't come with it installed, now if Verizon ever actually fucking launches the thing, I can get rid of my big-brother compromised Incredible and go back about my illicit activities.  Don't worry though, I'll still leave the illegal arms dealing to mexican cartels up to the ATF.

CityID popped up again last night after the update on monday. I installed Cyanogen 7 on my incredible and now the phone is faster and better than it was before.

[Engels]

Welp, this should prove of additional interest to the topic:

Wikileaks docs reveal that governments use malware for surveillance

Sample paragraph from the Ars article:

The software will capture the content of encrypted communications—including instant messaging conversations, e-mails, and the user's Web activity—and will relay the data to the party conducting surveillance. The software also includes key logging, remote file access, and has the ability to capture screenshots. The company cites "zero day exploits" and "social engineering" in a bulleted list of ways that its remote forensic software can be installed on the computer of a surveillance target.

The actual wikileaks stuff. Interesting interactive map detailing alleged companies per-country

[TheWalrus]

  I try to not be too  , but I would sure as shit rather drive a car that didn't have that particular functionality hard-wired from the factory.

Since my wreck, I'll never have a car that doesn't have onstar or similar service. Pretty goddamn amazing response.

[Trippy]

May be in iOS too:

http://www.theverge.com/2011/11/30/2601875/carrier-iq-references-discovered-apple-ios-iphone

Apple sez: We are using Carrier IQ in most devices and iOS versions but only if the phone is in diagnostic mode we swearz!

http://allthingsd.com/20111201/apple-we-stopped-supporting-carrieriq-with-ios-5/

[Trippy]

Carrier IQ sez: We're not sending any personal info to ourselves, we swearz!

http://allthingsd.com/20111201/carrier-iq-speaks-our-software-monitors-service-messages-ignores-other-data/

[Yegolev]

This would be a lot more believable if there wasn't a ton of money to be made with the ignored data.

[NiX]

May be in iOS too:

http://www.theverge.com/2011/11/30/2601875/carrier-iq-references-discovered-apple-ios-iphone

They updated the article and it sounds like Apple only has it there for debugging and it doesn't pull the same amount of information.

[Sand]

CarrierIQ and most of the carriers responded today about the concerns.
http://www.huffingtonpost.com/2011/12/01/carrier-iq-verizon-apple-google-microsoft-att_n_1124779.html#s513545&title=Sprint

Problem is we already know, based on their responses, that some of them are blatantly lying.

For example Sprint says:

Carrier IQ provides information that allows Sprint, and other carriers that use it, to analyze our network performance and identify where we should be improving service. We also use the data to understand device performance so we can figure out when issues are occurring. We collect enough information to understand the customer experience with devices on our network and how to address any connection problems, but we do not and cannot look at the contents of messages, photos, videos, etc., using this tool. The information collected is not sold and we don't provide a direct feed of this data to anyone outside of Sprint. [...] Carrier IQ is an integral part of the Sprint service.

When we already know, for a fact, that Sprint provides a web based browser program that allows members of the law enforcement community to log in at any time and find the location of any active Sprint customer. They can do this without a warrant.
http://www.wired.com/threatlevel/2009/12/gps-data/

[bhodi]

The example you cite is faulty.

They said they don't offer a feed of "messages, photos, vidoes, etc." basically, phone contents, to anyone outside of sprint.

This may be true, while simultaneously offering the GPS coords of the phone itself. That isn't really lying.


Of course, they really should not be collecting that information in the first place, but I still felt the need to correct. We don't need hyperbole when the truth is plenty horrifying.

[KallDrexx]

When we already know, for a fact, that Sprint provides a web based browser program that allows members of the law enforcement community to log in at any time and find the location of any active Sprint customer. They can do this without a warrant.
http://www.wired.com/threatlevel/2009/12/gps-data/

They don't need CarrierIQ to get your GPS data.  They can get your position at any time using their own broadcast towers.  Also I'm pretty sure all carriers are legally supposed to be able to give GPS coords to law enforcement for 911 emergency circumstances.

[KallDrexx]

From Engadget

Eight Android phones, including the Motorola Droid X and Samsung Epic 4G, were found to house major permission flaws according to a research team at North Carolina State University. Their study revealed untrusted applications could send SMS messages, record conversations and execute other potentially malicious actions without user consent. Eleven of the thirteen areas analyzed (includes geo-location and access to address books) showed privileges were exposed by pre-loaded applications. Interestingly, Nexus devices were less vulnerable, suggesting that the other phone manufacturers may have failed to properly implement Android's security permissions model. Google and Motorola confirm the present flaws while HTC and Samsung remain silent. Exerting caution when installing applications should keep users on their toes until fixes arrive.

*edit* Source was this Ars Technica article

[Quinton]

From the paper:

The reference implementations from Google (i.e., the Nexus One and Nexus S) are rather clean and free from capability leaks, with only a single minor explicit leak (marked as 2 in Table 3) due to an app com.svox.pico. This app defines a receiver, which can be tricked to remove another app, com.svox.langpack.installer by any other third-party app.2

Looks like the stock system might be able to be fooled into removing apps via this one.  Definitely needs fixing, but not exactly the end of times.

The paper has a nice chart of the specific issues they identified, which devices were impacted, etc.

Interesting research and a nice writeup about their analysis techniques.

[apocrypha]

Carrier IQ's VP of marketing has given an interview to The Register including lots of technical information that's been checked out by an Android security researcher, which seems to show that the data being collected is debugging information that's dropped again almost immediately and not sent anywhere except in case of a bug or software failure.

I don't know enough about the technical side of this to draw my own conclusions but I have a lot of respect for The Register with things of this nature.

[Quinton]

Apart from the whether or not they retain or transmit stuff like keystroke data, they *really* should not inject it into the system logs where it can be scraped by other apps with the "read logs" permission.  OEMs have done this from time to time (typically a failure to disable debugging print chatter in the keyboard or touch drivers) as well.  This is the sort of thing that CTS (the Android Compatibility Test Suite) tries to catch, but is difficult to do automatically due to the variety of ways people can format this data.

[Engels]

New article on ArsTechnica on FBI use of IQ info

http://arstechnica.com/tech-policy/news/2011/12/fbi-using-carrier-iq-info-for-law-enforcement-purposes-refuses-to-release-records.ars

The FBI claims data gathered by Carrier IQ software is exempt from disclosure laws because it is located in an investigative file that was "compiled for law enforcement purposes" and "could reasonably be expected to interfere with enforcement proceedings."

A Carrier IQ spokesperson has denied the company provided any information to the FBI, according to a report in VentureBeat. However, Carrier IQ data is provided to wireless carriers, so the FBI could have received the data in question from another source.

[Sand]

Im shocked! Quite shocked! Completely and utterly shocked!

(no Im not really)