Oh well,
back to carrier pigeon for me then.
Seriously though, WTF!? Has anyone had a play with the iPhone to see if St. Jobs has snuck something similar on his gadget? Wouldn't be surprised (sadly) after the 'consolidated.db' fuss.
An Android app developer has published what he says is conclusive proof that millions of smartphones are secretly monitoring the key presses, geographic locations, and received messages of its users. In a YouTube video posted on Monday, Trevor Eckhart showed how software from a Silicon Valley company known as Carrier IQ …
The article says that while it was demonstrated on an Android handset software from the same company with similar functionality is present on Blackberry and Nokia handsets too. Parent asks, not unreasonably, whether anyone has checked whether it is also on another rather popular phone model.
This is software that the phone companies add to phones on their network. Probably in the phone software, but it might even live in the SIM card?
The only customer testimonial on their website is from a 'Tier 1 Carrier' saying how much money they save with this monitoring software that 'can drill down to individual users' and provide detailed network traffic data. They use it to decide where and how to provide more capacity and quality of service where it is needed, apparently.
The issue is that, effectively, each carrier has a monopoly on phones that work on their network. I'm sure this would have come up before had we been forced to purchase laptops / PCs from our ISP. Since phones these days use software defined radios, my guess is that the difference between a iPhone 4 for one carrier and an iPhone 4 for another carrier is a simple reprogramming of an FPGA chip so that it speaks a particular carrier's transmission protocol. Really quite ridiculous that the carriers are allowed to control the cell phone market as they do.
Ahh yes, the redoubtable IP over Avian Carrier (IPoAC, rfc1149). Although I'd probably opt for IP over Avian Carriers with Quality of Service (RFC2549).
It's bandwidth is pretty impressive (how many 32GB micro-sd cards can you tape to the leg of a pigeon?) but it's latency is a bit high for a MMORPG let alone a FPS,
Pretty typical fandroid response there - millions of Android phones potentially compromised and the first thing you can say is "ah, but the evil iPhone must be MUCH worse.."
Of course it must. Google is your best pal after all, I'm sure this is all just some misunderstanding... Just thank god you don't have one of those AWFUL iPhones eh..
I'd expect this to have been found a long time ago it if were present on iphones, but it's taken a while to come to the fore on android. However, since the article doesn't say this doesn't exist in iphones, it's legitimate to wonder if it's been found not to exist or if it's not been tested. The commenter even gives a reason that we should wonder about it - it's not out of hatred, envy or anything! Asking that question is not an attack on apple, and it's not a claim that apple is better or worse than anyone else. Just grow up!
a very quick google search returns a lot of results of "iphone packet sniffer" so i'd suggest that if it was possible for some developer or carrier to get some malicious software like this installed onto an iPhone, someone would have already found it and there would have been a lot more shouting and accusing going on by the Androiders.
As I understand it, the only way to get this level of reporting on an iPhone is to either be Apple, or to have jailbroken your phone and then installed some dodgy piece of homebrew.
The poster appeared antagonistic because of his statement that he "wouldn't be surprised (sadly) after the 'consolidated.db' fuss."
The consolidated.db was a file on iPhones that cached information for location services. It was synchronised to your computer via iTunes. Due to a bug in the first few iterations of iOS 4 it accumulated data indefinitely rather than merely caching recent data. As a result, if a malicious user had access to your computer then he could extract a history of your movements going back to whenever you started using iOS 4.
That information wasn't collected for any purpose and it wasn't forwarded to anyone. In other words, it's completely unlike the application in this story, the offensive part of which is that it's deliberately collecting data and forwarding it.
So to say "I wouldn't be surprised if Apple have taken a deliberate conscious decision to monitor how its customers use their phones because, you know, they made a coding error once" is so nonsensical that it could be construed as deliberate flame bait.
Probably it's just that if you don't use an iPhone then you wouldn't pay that much attention to the specifics of any particular bug — the original author was correctly aware that the iPhone had previously made it possible for third parties to monitor users in some way and had incorrectly assumed malice.
Actually, he said I'm going back to carrier pigeons so quite clearly he finds it pretty abhorrent, and merely wondered what Apple had snuck in. To be honest, I don't blame him for wondering.
Either way, the referring to anyone as a Fandroid really doesn't come across as a very neutral ... if you were attempting to go for the moral high ground of course.
Of course though, who fsking cares. It's a phone. I got bored of iPhone jabber from friends years ago, and now Android is growing quickly, now I have to endure endless shlong waggling about what is best. I tend to buy Android phones, though not exclusively... I buy what I like and fits my needs. I really don't care about anyone else.
Some serious egg on face from the Apple crowd here today.
Their holier than thou approach has turned sour as it transpires every single iPhone ever made (with the possible exception of the original iPhone) has Carrier IQ build right in as standard regardless of which network you bought your phone from, or which country you live in:
iOS 3: /usr/bin/IQAgent
iOS 4 and 5: /usr/bin/awd_ice2 or /usr/bin/awd_ice3
This is clearly much worse that the situation where SOME Android/Blackberry/Nokia/WebOS phones had it....
That said however, the whole thing is yet another storm in a teacup... But it makes me laugh when iPhone "protectors" are made to look like total retards yet again.
Good thing you waited for the story to play out before getting on your shiny bandwagon. Egg on face? From that article:
"Update: chpwn notes that initial research indicated that Carrier IQ's software may only be active when the iPhone is in diagnostic mode. In a blog post, chpwn confirms that, based on his initial testing, Apple has added some form of Carrier IQ software to all versions of iOS, including iOS 5. However, the good news is that it does not appear to actually send any information so long as a setting called DiagnosticsAllowed is set to off, which is the default. Finally, the local logs on iOS seem to store much less information than what has been seen on Android, limited to some call activity and location (if enabled), but not any text from the web browser, SMS, or anywhere else. We'll let you know when more details arise."
Which do you think is worse now?
Oh come on you can't blame Android for it's phones needing a four core processor to work properly.
Obviously the problem is they have all this spyware working in the background, that's why people find they work a lot faster after being flashed with a custom ROM.
Sucks if you don't custom ROM it though, but that's the users' own fault for being dumb.
What a petty, arrogant little tech-snob you are? People want a phone, they would like it to work properly and they do not have time to take a 6 month course in Unix just to be able make a few phone calls, send a few SMS and sling a few birdies around the screen when killing time.
Perhaps we should get some people in to laugh at you as you most likely cannot crochet an intricate lace doily, plan and cook a 6 course meal for 30 people or play Chopin to concert standard, 'because "it's your fault for being so dumb"!
But's thats what expected with Android isn't it? I don't really know, just read the comments around here.
Reminds me a bit of that old joke:
Linux Air
Disgruntled employees of all the other OS airlines decide to start their own airline. They build the planes, ticket counters, and pave the runways themselves. They charge a small fee to cover the cost of printing the ticket, but you can also download and print the ticket yourself.
When you board the plane, you are given a seat, four bolts, a wrench and a copy of the seat-HOWTO.html. Once settled, the fully adjustable seat is very comfortable, the plane leaves and arrives on time without a single problem, the in-flight meal is wonderful. You try to tell customers of the other airlines about the great trip, but all they can say is, “You had to do what with the seat?”
Full list here: http://www.linuxscrew.com/2007/10/07/fun-linux-unix-windows-os-x-and-dos-airlines/
Nobody's buys into astroturfing posts by MS "technical evangelists" any more, since James Plamondon, your first boss, did his mea culpa.
Your data joke about an open-source airline merely means that you haven't seen, run or used a Linux distro since 2000. I find it interesting that the KDE4 desktop is so powerful, beautiful and easy to use that Win7 copied it from installation screen to desktop design. Imitation, the sincerest form of flattery.
but he is right. Best thing what happened to my HTC Desire was the Oxygen V2 Custom ROM and it's pretty easy to install. Ok, I've got some 20 years experience in Unix and some 30 with computers, but I used a prepackaged kit on Windows to install it with a few mouse clicks. I use computers because I'm lazy :)
Mines the one with the key to the room with the big shelf with system 7 manuals.
If a custom ROM is not available for their particular phone model. I would love to add Cyanogen to my LG Optimus S but it is not available. There is a community-developed version but it appears to still be in Alpha and I am not willing to brick my phone because it is ALLEGED there is spyware installed by the carrier on it.
I am neither an iPhone or an Android fan - I have a cheap mobile phone for calling & texting clients and friends, & thats all I give a shit about for a phone. I was merely musing on the general culture of Data-harvesting these days, that it seems to be endemic & increasingly invasive and surreptitious, regardless of platform. Jeez, what a jumpy bunch! (I'm sure this post will invite a few shots as well, so for those who feel the urge rising, may I suggest counting to 10?)
"Has anyone had a play with the iPhone to see if St. Jobs has snuck something similar on his gadget? Wouldn't be surprised (sadly) after the fuss."
Firstly, just to get it out the way, as others have mentioned this is to do with carriers. Secondly, this is a very different kettle of fish to 'consolidated.db' - not saying that incident was brilliant but I think most would realistically say that this one is a heck of a lot more serious.
Anyhoo, in answer to your question, yes they have - see http://twitter.com/chpwn however, various people online have written up this research in a quite readable way. At the moment, it likes like very little information is being gathered on iOS - e.g. tower strength - and it looks look it ties in with Carrier IQ's statement. I know some will say, and it's a good point, that any information is an issue, but there's nothing like keylogging going on.
Also, with iOS, it appears that you can make sure *nothing* is sent to Carrier IQ - users need to go to Settings → General → About → Diagnostics & Usage and make sure "Send Automatically” is switched to off (if switched on, the device will send diagnostics & usage to Apple).
Incidentally, it's reported that the Google Nexus One, Nexus S, Galaxy Nexus, and the original Xoom don't have Carrier IQ installed - http://www.theverge.com/2011/12/1/2602313/google-nexus-android-phones-and-original-xoom-tablet-do-not-include
Thanks, already read up on the current discoveries - hard to avoid really! Interesting whats coming out after my first comment - also intrigued by the range of reactions to it!! If you read my second comment (about 4 above yours) I think you'll see that I don't care about device platform - a phone is a phone is a phone for me, a utilitarian thing that affords me a certain amount of convenience. That I thought out loud about the iPhone harbouring similar "features" was, in hindsight, always going to be bait to the faithful - nonetheless, it was a relevant musing that could relate to any communication device. The iconic iPhone was simply the first alternative that came to mind. Thanks for your efforts & the info - nice to see an enquiring, level-headed approach to the subject.
Is this even legal in the UK (or EU)? Surely this qualifies as interception under RIPA for starters, and it is clearly not with informed consent of the user. Maybe about time the rules made quite clear what exactly you can and can't bury 622 paragraphs down in T+Cs and still take a punt at claiming you have consent. Being spied on for gain should never, ever be a permissible condition of taking a service.
Perhaps the carriers would like to explain explicitly what uses they put the data to?
This would be very clearly illegal in my country (Finland), and I am pretty sure in most other EU countries as well. This is after all a place where even web tracking cookies are illegal in principle. But I wonder if the software even appears in Europe? I got the impression from some articles that this is something some carriers put on phones they supply in contracts, and would not be in handsets not from carriers. If so, it is the carriers that would take the heat.
it isn't on my htc Sensation... But that is an unbranded version, so it could be either down to the carriers or it is a USA only thing.
Also, the idiot in the video doesn't seem to understand the difference between a packet sniffer (pulling data packets out of the network (wi-fi or ethernet)) and a USB-Debugging tool! If the phone was in Airplane Mode, there IS NO WAY that he could have sniffed the data, because the phone couldn't have sent any data!
Likewise the bozo complains about it giving the https address information from the browser, again, this is by design, it was in debug mode and gave out the URL to the debug stream, nothing sinister here... Now, if he had ACTUALLY sniffed the data packets and the data WAS being sent to Carrier IQ, that would be another matter entirely.
He just proved, that it was running and that it output gathered information over the USB port, when in Debug mode, which is what you would expect, but alas doesn't prove anything.
If this is anything like the Phorm case, you'll find that the EU says yes, this kind of interception is banned by the EU Directive on communication, but our government says that RIPA (which is partially based on the EU Directive on communication) doesn't apply, as it only applies to government organisations.
Personally, I agree with the EU (my understanding is that where our law conflicts with EU law, EU law is the more powerful), but our government appears happy to side with anyone who bungs it a couple of billion for a comms licence.
I also don't see why any software that is designed to monitor network quality needs to send anything back other than signal strength numbers, the time and duration of any significant spikes and drops in signal strength, number of calls dropped and the cell ID (not as a crafty way of tracking your location, more that if a Cell goes tit's up, they need to know about it).
If this is proven true, then its very serious, not least because of the scale of it. If that is the case, its time for a massive class action to utterly destroy their company and send a clear warning to others. A line has to be drawn against companies behaving like this, because their kind are not going to stop pushing for ever more detailed spying without people standing up to them and saying no more. A limit has to be created somewhere!?!
Why I agree with your post, remember that someone paid this company to develop this app. It is the phone companies that need to be targeted in any class action and frankly they're too big to be properly punished.
It will be oops, our bad, some low level exec has been punished and everyone affected gets a free sms in compensation
'impressed that no one has mentioned big brother yet."
Sadly we've been under BB for a long time now, it's almost pathetic how impotent we are about it these days.
I recently went to sign up for a contract phone and I was handed a form to sign that simply had a box to tick and the words, "I hereby agree I have read the T&Cs.". I hadn't seen the T&C's not been offered them and I bet if I had asked the assistant would have commenced with lots of huffing and puffing while her potential sales commission targets wandered in and out of the shop, waiting for me to read the full T&C doc.
Just a small example of how we all being treated like mindless sheeple and expected to simply follow along and "not worry our fluffy little heads" about the nasty things like legal agreements. Just sign your life away, you'll never have to worry about it. If you decided to start causing trouble with the agreements we'll make it so damn difficult and expensive that your grandchildren will still be paying for your impudence in attempting to question your betters!
Having a look around at the wonderful XDA resource, I came across this which explains what it is, what it does and how to find if you have it. Search further and there are ways to remove it.
I certainly would not want this on my phone...
http://forum.xda-developers.com/showpost.php?p=11763089
From that article: "Carrier IQ is a software package buried deep within Android by Samsung at the behest of Sprint"
But the video shows HTC, so presumably they got the same "behest". Does this only apply to Sprint?
My friend's HTC Sensation on T-Mobile (UK) doesn't appear to be running the service nor contain the IQ libraries listed.
Carrier IQ may sell a version for Nokia that some operators may install on the phones you get with a contract, but that is not the same as Nokia using it.
When I worked for them Nokia had something similar, but it didn't hide itself. Company employees (non developers) who signed up for their internal 'True Test' program (beta testing new phones and software) were somtimes asked to install the monitoring suite and it was sometimes included in beta releases of Symbian, but it didn't do key logging and you could always open the app and check to see if it was active or when it last sent any results back, and you could easily uninstall it. It monitored Apps running v power consuption as well as some statistics for the radios. It was never on production releases of phones.
I think it unlikely that they also had a sinister black helicopter version and actually mangaed to keep its secret. I'm fairly certain that if they tried they would have had loads of outraged devs on the internal message boards.
If you're willing to spend a few years or decades? of your own time developing one without getting paid - ever - and detail all the hardware designs and implementations. Go ahead make one.
I'll wait till someone stupid/benevolent enough to do this and grab one for free (as in beer). Still probably prefer the Jesus phone for it's aesthetic design unless you're able to find a designer who's also willing to spend a few years of their time doing nothing but that.
Though be careful not to starve yourselves.
but not why it's installed and turned on.
If I've got an issue, then I'm happy for my phone to dump everything to a log to enable debugging - but I want a nice icon to indicate it's running, another one to turn it on and off, one to review what it wants to send and finally a 'send' button.
Article doesn't touch on it, but looking at the path, is this something HTC have put on every phone?
> is this something HTC have put on every phone?
Certainly not *every* phone; I've just checked my Desire, and it's not there.
But HTC are to be condemned for putting it on *any* phone. This sort of thing is decidedly unethical, and illegal in many jurisdictions (and I really hope they get caught in one).
Vic.
can you point me to where "conclusive proof that millions of smartphones" is shown (in text). Would that be the "stock EVO handset" bit, and then HTC or the wireless companies, or both, that will be going up the river? Just HTC phones or more than that?
Cripes, Murdoch just caught a break...
Any idea how much that info is worth to companies? Probably enough to buy yourself a small country somewhere south of the equator!
The phone company takes the hit on that data, you don't have worry about it. The phone company and IQ then split the dirty money between them by selling you and your info down the Swanee!
Daniel, with the utmost respect, are you a software engineer perchance?
The question was why are they snooping on sessions that are intended to be, and thought to be secure., Never mind the privacy concerns, this is a gaping hole in the security structure.
It was not a question of how are they able to bypass HTTPS, for which you have provided a reasonable answer, in that they access it from the"safe"side, in the clear.
It isnt a gaping hole. I intercept SSL daily at work. Its called "man in the middle". All our employees are made aware and sign the AUP of the business. Our webfilter/firewall has truested CERTS and scans SSL before bridging back. This is fairly seamless to the end user and perfectly legal.
this is doing the same:
action -> carrier IQ -> SSL -> network.
what isnt explained is how carrierIQ -> network (plain text?) with SSL traffic. I guess carrierIQ dont know/care if it is SSL - it logs everything....
We're onto a wider question now, and although you trust your servers, they still have access to all my bank logins, and the entire session, should i choose to check an account whilst at work - and on a "line" that i thought secure from my PC to the bank server.
This gives you access to information that is beyond what I would consider reasonable for an employer. Many people use a work PC to check domestic things, well within the fair use requirements, and with an assumption of trust.
Your firm's approach greatly increases the circle of trust, unnecessarily, which I would call a "hole".
This makes your systems a richer target for criminal infiltration, knowing there are any number of instant man-in-the-middle attacks available. Or, alternatively, a configurable scrape of HTTPS sessions with passwords etc.
Would it not be impossible to exempt HTTPS sessions to a certain whitelist of addresses? -and even if so, it wouldn't protect me from a corrupt instance of "you", would it?
HTC really do want to steal your data don't they!
http://www.androidpolice.com/2011/10/01/massive-security-vulnerability-in-htc-android-devices-evo-3d-4g-thunderbolt-others-exposes-phone-numbers-gps-sms-emails-addresses-much-more/
No wonder my Desire kept over heating. It was all the bloody key loggers hard at work :-(
Come on reg, this is not proof and the guy is clearly lacking some chops here. Yes it's doing some analysis but at no point is he confirming what/what isn't sent back. He's just blathering on and on about syslog output which means very little - someone's stuck debug call in a keypress handler, that says nothing about the metrics they gather.
The siri hack was how this sort of thing should be done (knobble it via proxy and dump content), this proves nothing but is just a load of half baked arm waving. There isn't even a tcpdump in case the stats submission is unencrypted...
He also refers to this as a rootkit which it categorically isn't.
No idea why someone has downvoted you as I completely agree with your comments. At no point in the video does he show the data being transmitted anywhere off the phone. Some posted above asked who is paying for the data transmission - the answer being, until proved otherwise, no-one because no data is being transmitted.
And as to his ludicrous question as to how come it's recording "data over HTTPS", he obviously has absolutely no clue as to what HTTPS is and what it encrypts (hint: this is logging keystrokes, not data transmissions).
There are significant concerns about this app, the fact that it's installed, running, hidden, and hard to disable, but those concerns really ought to be raised by someone more qualified than this guy.
"Some posted above asked who is paying for the data transmission - the answer being, until proved otherwise, no-one because no data is being transmitted."
Err... read the quote from Mr Coward:
“Our technology is not real time,” he said at the time. "It's not constantly reporting back. It's gathering information up and is usually transmitted in small doses.”
I'd say that means data IS being transmitted. Small doses, but, definitely transmitted.
> hint: this is logging keystrokes, not data transmissions
No, you missed a bit.
Whilst it *is* logging keystrokes, it's *also* logging net activity - it captures the entire URL from his browser GET, despite that being a HTTPS GET (very naughty).
Then, if I understood correctly[1], it proceeds to make a cleartext transmission to the CarrierIQ server including the whole URL from above (which could very easily contain data that is supposed to be encrypted).
Vic.
[1] I might have this slightly wrong; I was making the tea at the time. I'll go have another look in a bit - once I can summon up the courage to face another 17 mins of that drawl...
> it proceeds to make a cleartext transmission to the CarrierIQ server
This bit isn't clear, actually.
It occurs approx 15:40 into the video. We see the URL being sent to the CarrierIQ application. We don't actually see it being transmitted to CarrierIQ servers.
The voice-over is a little misleading at that point, which might explain why I read into it a little more than is there.
So what we're left with is a spyware app which logs all URLs (including HTTPS) and might or might not do anything with that data...
Vic.
This post has been deleted by its author
You can't have it both ways you know... El Reg goes into iphone rumour meltdown for a month before every new phone launch, gets rather tiresome to be honest. Multiple iphone stories a day isn't uncommon.
If you feed the rumour mill for free product promotion, you can't complain if the wheels keep spinning when your product does something daft.
...here's what CarrierIQ says about what their software does:
- "Zero-delay" data capture.
- View application and device feature usage, such as camera, music, messaging, browser and TV
- "Task" phones dynamically over the air
Also, from screenshots in these materials, you can see that this data is available to their customers on a per-device level (IMEI displayed in software) and includes details such as date, time and duration of voice calls, IP sessions and SMS messages.
All without the user knowing a thing about it, and having no opt-out.
Nice.
I've got a HTC device on Vodafone's network. I'm thinking of moving to O2 anyway as the Vodafone network seems to have no coverage compared to my work phone on O2's network.
Anyway, I've now got to pick a new phone - is the iPhone safe from this virus? Is O2's network safe?
I certainly don't want a HTC anymore. Someone said Samsung have the same virus - Is this true?
Thank you.
Your post pretty much highlights the problem with this sort of reporting.
Many people will be a bit confused, and probably will go out and do pretty meaningless things like go and buy an iPhone "because android phones have a virus!!!".
So several answers;
1) It appears to be US-only. US carriers paid CarrierIT so they could include CarrierIT's spyware software in their phone ROM builds, supposedly to help debug customer problems.
1a) Therefore no UK networks, including O2 and Vodafone, are currently suspected.
2) It isn't in standard Android ROM builds, nor in standard manufacturer ROM builds by HTC, Samsung, LG or whoever.
3) The iPhone runs iOS which is jealously guarded by Apple (i.e. no operator variants are allowed) so it's very unlikely to have CarrierIT's spyware.
4) Blackberries and some other phones may have it though.
5) Generally I wouldn't worry too much. CarrierIT is toast, and I suspect that any plans to do anything similar now will be similarly scuppered. Buy what phone you like.
Dear Reporter, Be very careful to understand before you publish.
What you are looking at here is NOT a "log" or a record of transmissions but actually a debug print of hooks, that COULD but are NOT (yet) proven to be logged or transmitted. What this does show is that the information is being fed into the CIQ software but not that it is being used in any way shape or form. this means the app has unfettered access to snoop whether or not it is snooping is another question.
It's all very phorm like, I'm sure we will see more on this.
.. Mr Coward confirmed in his statement that this *IS* transferring all these data: he merely denied that this was done in 'real time' but is done in 'small doses' - i.e. batches. I'm guessing because it can't guarantee a data connection all the time.
At least they have all those bank account details so they can fund their legal defence ..
BTW - how can you tell whether your phone is running this, given that it "[bypasses] typical operating-system functions"?
IF this is true, almost no other story on the Register matters.
It would mean huge number of the mobile devices in the US have been utterly hopelessly compromised by malware (if they weren't already).
If so... Quibbling over SSL certificate forgery is pointless. And worrying about password security doesn't matter any more. Mobile device security (which was already questionable) has been comprehensively subverted, that's how bad it is.
It deserves to be top story. And yet, I suspect it will get no MSM coverage at all.
Oh noes, my computer has SNMP instrumention, THEY ARE SPIYAN - PANIC ATTACK (but don't forget to bump this Flatter button first!)
Seriously though, how about some data? If this were "active" in more ways than calling the tracing and debugging functionality, ceaslessly dumping stuff over the airnet (unencrypted? what?) I imagine _someone_ would have noticed.
Thank you - I was going to say just that.
I can see the value of a debugging application that had a copy of all keystrokes before they were given to the foreground application. The real question is what happens with that data ?
* Everything uploaded to somewhere occasionally. That would be very bad. Get all my ''secret data'' eg: passwords, bank account info, etc.
* If an application crashes and I am asked if I want to submit debug data. Kind of OK if 'no' really means NO except that it would also send secret data and most people would not think of saying no if they have entered secret data into the crashed app. Also: will it send just keystrokes for the failed app or everything that it has ?
* Data thrown away when an app terminates, the phone restarted, ...
* Who gets to see this uploaded data ? Developers, marketeers, google, CIA ?
* Where does this data go ? I would expect a lot of even non secret data to contain personal information (ref: data protection act). Exporting it out of the EU could be illegal.
We need much more information.
Who cares if it's an iDroid, Symdows or PalmRIM.
It's a ****ing smartphone.
You don't have to defend it like your daughters virginity!
Did you buy the phone to join that particular "Gang"?
Then you really REALLY need a life.
I bought mine to make calls, listen to music and surf the web.
My last phone was Symbian, current phone is Android, next may well be Apple or Windows.
Just because you bought a particular "brand" doesn't mean you have to defend it against all comers, doesn't make you a "superior being", and definately has no effect on the size of your Member or your attractiveness to the opposite sex.
STOP BELIEVING WHAT THE MARKETING PEOPLE ARE TELLING YOU! THEY ARE ALL LIARS!
It does not matter what OS my phone is running on, if it's logging keystrokes and URLs and sending them back without my knowledge and express, specific permission, then I'm going to be mighty annoyed.
I'm also going to blame the carrier, and not the OS or phone model - it's the carrier who chooses which phones to sell and what 'custom' rubbish to put on them. (Vodafone Live drove me potty because I couldn't kill it. I don't have a Vodafone anymore.)
People do important, secret stuff on their smartphones, and employees with corporate smartphones often have company secrets on them.
Even a simple 'call list' is spying - one of the things the News Of The World was accused of is using call logs to infer scandals.
My god, I can't believe I actually watched the whole 17 minutes, listening to the most boring, monotonous voice imaginable!
Perhaps I could just point out a couple of things:
1 - when he showed the app properties it said data storage was zero - it can hardly be saving any keypresses, location details, text messages etc in zero bytes?
2 - absolutely NOTHING he is moaning about actually happened UNTIL he turned on 'USB debugging' - this guy has obviously never written any computer program, or tried to determine why some embedded hardware doesn't work as expected, to attempt to fix it you would turn on debugging, log keypresses, log what routines of what programs are run etc etc.
I do not see an problem here, except in the guys head.
1 - It depends where the app is storing it's data. I believe the memory usage in the settings screen shown just indicates memory used by the application in it's "authorised" storage area. It could look to see if an SD card is available and store it there in which case it wouldn't show up on that screen.
Eventually it must either send it to dev/null or it transmit it off the device.
Somebody has paid good money to put this application on some phones.
So if it doesn't transmit (at least some of) the keylog eventually (in bursts, as they have already admitted), then why would anyone buy the application?
Oh well, shouldn't be too hard to track down where the spy cripplecrapware is hiding, since Android is officially open source copy left software!
Thus, one should by rights, get the complete source code listing from the phone makers and easily recompile, minus the spy crippleware back door code and turning off the update on the fly cycle too!!!!!!
As for Pwn2Own in Vancouver, in 2012, this could make for a possible backdoor open hack, to get oneself a nice brand new Smartphone?
As it stands, Smartphones are truly dumb!
According to a conspiracy youtube video, Carrier IQ spy crippleware has been deployed to well in excess of 140 million smart phones. Now Gartner said by April 2011, world wide sales of smart phones was 468 million units, a 57% increase on 2010 sales figures, so I would say 140 million claimed on youtube video is a very conservative number, lol!
But then again, how soon we forget, how easy it was, for the mainland Chinese Central Spy Agency hackers, to break into and compromise Gmail accounts of many US Government Agencies, by the very same back door crafted by the foolish fools at NSA, when it went viral, on June 1st, 2011!
My question.. is it the Carriers or Homeland Security (through the carriers of course) who have asked for this rootkit to be installed? Seems like they would be the primary benefactor even more so than the carriers... capturing of all data including the content of text messages and the details of whats inside an SSL connection.
Just found this press release from the offending (offensive?) company in question. Take from it what you will when presented with the evidence from the video in the Reg article. I make no opinion either way.
http://www.carrieriq.com/Media_Alert_User_Experience_Matters_11_16_11.pdf
..because CarrierIQ or equivalent spyware will then be embedded so deeply that you can't remove it without failing the "secure" authentication. That's if you're even allowed to run anything except Microsoft Bloatware version 9 (with future versions requiring a new motherboard).
Who me, cynical?
---------------------------------------
Carrier IQ solutions combine device-resident software and server-side business analytics applications to provide actionable intelligence on end-user customer experience, performance and service quality. The embedded device agents are currently shipped on more than 75 million devices across numerous device manufacturers and models. The solutions can be deployed across multiple wireless technologies such as CDMA2000, GSM, UMTS/WCDMA, WiFi, and device types such as feature phones, smart phones, PDAs, data cards.
------------------------------------------
http://www.carrieriq.com/company/careers.htm
They are also looking for someone with:
"Experience with PPP/serial logging and sniffing tools like Wireshark"
Sounds innocent enough.........
so it will be spread across multiple platforms.
http://www.carrieriq.com/overview/mobileservice/index.htm
It lets carriers data-mine the behaviour of every device it is running on.
If Sprint have decided to deploy it, you can bet they will be deploying it across all handsets that they sell to the consumer. If CarrierIQ have a set of iPhone libraries for it, then Sprint will also have deployed it on their iPhones. I have yet to find a list of supported platforms on their site yet, though (not that I've actually looked that hard).
It is not a virus, or malware, it is a commercial product, and the decision to deploy is done by the carrier.
This is why I buy my phones direct rather than get a subsidised handset; you cannot know what the carrier has or has not installed on your handset for their own purposes. Subsidised handsets are so much of a false economy it is not even funny any more :'(
If the carriers want to be able to plan for and provide appropriate amounts of bandwidth, now and in the future, they need to understand how users use their phones to create a model of current usage.
Yes, I realize the CIQ app goes much further than this by actually recording content, but perhaps it's merely a case of their thinking that "more info is better"?
That doesn't excuse the sneaky way the app is installed, or the lack of information from the carriers, and especially not CIQ's hamfisted tactics against the guy who shone the light on their handy little tool, but there's just a slight possibility that we're not dealing with malice here, but only a stunning level of organizational incompetence and/or misunderstanding of how users feel about their personal communications.
Given their tactics, why bother cutting them any slack? Someone says something about their work that they don't like the flavour of, and the response is 'go corporate' and deploy the brass knuckles. And the carriers are suspiciously (guiltily?) quiet. If the world ends up short of one data 'gathering' company because they can't work out that deploying controversial software in a febrile environment is a bad idea, who cares? If they're that dumb, I don't think it's a big loss.
One thing that's become very clear in the commercial assault on privacy is that trusting businesses and handing them the benefit of the doubt rarely leads to an open and satisfactory explanation. It's far more likely to encourage them to continue stonewalling - and in the UK of course, like as not they'd get government support in doing so.
When they play fair, maybe we will.
REALLY!! ok I see hackers getting the info. But who in their right minds think that the GoVERNMENT
will not abuse spying on citizens whether by court warrent or just to keep track on anyone who may disagree with them . It has been proven time and time again to be the case and even as far as to spray pathogend to see how modern life...the trains. subways ect can spread pbiological or chemical substances. we have a fundamental right to privacy..And those gready corporations and the DMV who spy on us and sell our private information should be stopped from doing so and fined and the company executives put in jail for 10 years without parole and forced to pay restitution to the coustomers which they made their millions off of .Hackers publish their names, addresses, family members names and locnes numbers and everything they do. Let them see how they like everyone knowing their bussiness...
#1 my iPhone occasionally complains about the cellular data not being available - I am cheap and did not sign up for a data plan, WIFI suffices, thank you very much.
Wondering... could it be that something similar is going here, with call-home snooperware trying to connect?
See.... I consider it quite possible that my shiny has this problem too.
But...
#2 far as this article states, _this_ here is not an iPhone issue. Now, from the fanbois on both sides, I can understand "mature" behavior like
"hah! an Android bug. iPhones are so much better".
Or
"heh, heh, silly iTards have problems, Android rocks"
But, it is surely stretching the stupidity level quite a bit to say something like
"hah! a problem on Android means iPhones suck".
Or the reverse
"iPhone bug => Androids suck".
Get a f'ing life, folks. a phone is a phone is a phone. This is a programmer forum, can't do any better than "my shiny is better than your shiny"?
Sorry if I offended any 'tards by the above. It was fully intentional.
My phone is configured to fetch mail every 15 minutes and this "cellular data not available" message doesn't appear with any regularity. Certainly not every 15 minutes. It also tends to appear as I am using the phone, not when it is idle.
And, yes, I have turned 3G off in settings - this message annoys me, so I tried my best to get rid of it. I could try to turn off push email for a while, see if that makes a difference.
While Mr. Eckhart's investigation is an important beginning to the conversation, it does not prove quite what it might seem to from this article.
The Register's article claims that Eckhart was using a "packet sniffer" to read what Carrier IQ's software was logging/sending, but that's not true.
He was using a USB debugger to view the EVENTS that Carrier IQ's software was receiving/processing from the OS.
What's been shown thus far is only that Carrier IQ's software has ACCESS to this personal information. It has NOT been shown that:
+ personal information is stored
+ personal information is transmitted to an outside party
+ personal information is used in any way
So far, Carrier IQ's statements about their software *may* still be true, if they are appropriately censoring personal data provided to their application through these events. Until we see what the application actually stores/sends, we won't know for sure.
That being said, I'm relieved that it's not on my phone, and I look forward to further investigation.
Once you know the truth, that smartphones are designed to sap and impurify your precious bodily fluids, you just can't submit to having one. It's the secret policeman in your pocket. It only takes a room temperature IQ to figure out that they're using it to spy on you, I mean, duh. How obvious does it have to get?
Everyone on this thread is in a panic because of ONE video. Where is the independent confirmation by unrelated researchers? If someone has an ax to grind, they can easily produce a video and watch all the sheep go off on a tilt based on it. It does not matter if it is factual or not, as long as it is plausible and looks good on video, huge numbers of people will believe it.
It may well be correct, but until I see multiple instances of totally independent confirmation, I will remain skeptical of the conclusion Carrier IQ is actually logging all my keystrokes and net activity.
If it IS independently confirmed, I will happily join a class action suit aimed at putting everyone involved in this monster invasion of privacy out of business and behind bars.
http://infectedrom.com/content.php/154-HTCs-User-Behavior-Logging
VirusROM found this back in August and anyone using VirusROM on their phones have this blocked. From what I read it is also a Sense only issue, so ASOP etc do not have the CIQ Logger on.
Go VirusROM!
Hummm, not convinced, I've had non-droid phone's tracked as well as my Nokia sending real time location updates, until I reconfigured it, because someone in the Police has a grudge against my brother, whom I've not seen in years. The 'security-services' love having the ability to track people without any oversight, and with the ongoing mission creep I'm not surprised...
They don't need an app to track your phone, they can do it based on the network cell you are using. In cities the cells are smaller and thus the location is more precise. With a little bit of additional kit in the network they can have a good go at triangulating your position in the cell as well. This is totally independent of the phone manufacturer.
As for the Nokia sending real time location updates, you probably signed up for it through one of the many apps that do that now. Not very black helicopter if you can turn it off easily. The main users of this tech are not the government, its the advertisers.
I feel so strongly about this invasion! How is this different from someone breaking into my house and snooping through my draws? I think we should all get together and hire a lawyer and play the corporate game of busted now you pay up. I think jail time is also due here. Why is it that white collar crime is not treated the same as a burglar, etc?
I feel so strongly about this invasion! How is this different from someone breaking into my house and snooping through my draws? I think we should all get together and hire a lawyer and play the corporate game of busted now you pay up. I think jail time is also due here. Why is it that white collar crime is not treated the same as a burglar, etc?