back to article BUSTED TWO: Carrier IQ monitor-ware on iPhones too?

Blogger and iPhone hacker Chpwn believes that the controversial Carrier IQ software isn’t confined to Android devices. In this blog post, he says a look at the /usr/bin folder reveals Carrier IQ’s agent software, identified as IQAgent in iOS 3, and either awd_ice2 or awd_ice3 on iOS 4 or iOS 5 devices. At this point, Chpwn …

COMMENTS

This topic is closed for new posts.
  1. This post has been deleted by a moderator

    1. Anonymous Coward
      Anonymous Coward

      Were you when Android was found using it?

    2. Anonymous Coward
      Anonymous Coward

      Why? This is how a diagnostic tool should behave, not acting like a rootkit and capturing everything you do on the phone.

      Carrier IQ would be in no trouble if they had done the same on Android as they did on iOS.

      Maybe they tried, but Apple just wouldn't have it?

  2. Anonymous Coward
    Anonymous Coward

    just wondering..... why the hell are cooperate entities interested where we go and what we look at? Advertisement? Aren't they spending way too much on advertisement instead of improving their products?

    any way.... why the hell is this legal? even if it is included in the "privacy agreement/policy", that is not enough. The user need to be told to his/her face that this will be done so that they can make an informed decision.

    1. GeorgeTuk
      Coat

      I wish all the entities I deal with would co-operate.

      Sorry!

      1. This post has been deleted by its author

    2. Anonymous Coward
      Anonymous Coward

      Had a look at the diagnostic logs on mine (iOS)

      And there's no record of where I went or what I looked at.

      Just how many SMSs I sent, how many calls I made (not to whom), how the battery performed and some radio power parameters.

      Hardly shocking stuff. As a developer myself I expect they would need this sort of information to figure out any problems, but I can turn it off if that's still not ok.

  3. Anonymous Coward
    Anonymous Coward

    Check the settings

    You can see the data sent from the iPhone by going to

    Settings > General > About > Diagnostics & Usage > Diagnostics & Usage Data

    And you can switch it off by selecting the Don't Sen option.

    1. Anonymous Coward
      Anonymous Coward

      ok

      but at this stage, a user might not be sure whether they can trust the user-settable options to actually do what they seem to offer.

    2. Anonymous Coward
      Anonymous Coward

      @AC

      I would have expected an opt-in instead of an opt-out to be honest....

      1. Matt D
        Go

        Opt-in

        IIRC you are asked when setting up your phone if you want to opt-in to sending diagnostics.

  4. Geoff Campbell
    Black Helicopters

    Bwhahahahahahahahaha!!

    Cyanogenmod on a Samsung is looking better and better.

    GJC

  5. James 51

    I saw one twitter post that claimed the only phones which did not have the software installed were running WP7 and Maemo but some carrier specific N9 firmwares did. Is there anyware to confirm this?

    1. Shaun 1

      "Even voor alle duidelijkheid: Nokia installeert GEEN CarrierIQ op haar producten"

      Translation: "Just to make this clear: Nokia installs NO carrierIQ on it's products"

      https://twitter.com/#!/jurthys/status/141856513542205440

      1. Anonymous Coward
        Anonymous Coward

        @Shaun

        Don't they all deny it?

        Hardly think a tweet from the "Communications Manager, connecting Nokia and people in Benelux. " is enough to prove anything regarding CarrierIQ on Nokias...

        First rule of twitter is don't believe everything you read on twitter...

      2. Anonymous Coward
        Anonymous Coward

        Schtop

        This spyware is not ready yet!

      3. Tom 13

        And even if you DO believe the Nokia rep,

        that doesn't mean the company selling Nokia's doesn't install it after the fact.

        1. Dan 55 Silver badge

          Nokia have confirmed that they don't use Carrier IQ, but...

          However I'd like to know what Nokia Analytics Collector in the Symbian Anna update 2/2 does. They haven't exactly gone out on a limb to explain that.

    2. Paul Shirley

      Sony Ericsson appears to honour the opt-out

      Haven't worked out who supplied the QC monitor on my SE Android phone but it does seem to be honouring my 'send anonymous usage stats' opt-out. No sign it's running at all. I don't normally trust anything with Sony in the name but the Ericsson guys seem to actually have a clue about doing things right.

      Might just go ahead and delete it anyway, a bit more free space to move apps into ;)

    3. Vic

      > I saw one twitter post that claimed the only phones which did not have the

      > software installed were running WP7 and Maemo

      That post was incorrect. It was posted by someone who did not know the extent of the problem.

      Strange, that - someone on the Internet posting bollocks...

      Vic.

  6. TonyHoyle

    From what I've read it's only carrier branded phones and only in the US - there are (AFAIK) no reports of european phones with it installed.

    Also not nexus phones - because they're not carrier modified.

    TBH though it's all a storm in a teacup - it's never been demonstrated that this software logs anything significant.. a debug log is not sufficient evidence - show the tcpdump output with it actually sending data it shouldn't.

    1. Anonymous Coward
      Anonymous Coward

      I think the storm is mostly because this was deeply installed and hidden, with no way to turn it off on the Androids that have it.

      Then Carrier IQ didn't help themselves by not coming forward clearly.

      1. alun phillips
        Facepalm

        Change your ROM

        Metavisor, there is a way to remove carrier IQ, and all the other sh*T your carrier has foisted upon you ROOT and clean 'em out yourself or install a custom ROM. SImples!

    2. The Fuzzy Wotnot
      FAIL

      A great man once said, "The price of freedom is eternal vigilance!"

      "it's never been demonstrated that this software logs anything significant"

      Granted that's true but can you, for a second, imagine how much all that sort of diag type info would be worth to marketing companies? Imagine the millions of people walking about with mobiles in just the US alone, all giving just a enough info to allow targetted advertising to be a worthwhile reality? Sickening is what that thought is. However I can imagine a few marketing execs wetting their seats at the prospect of the huge pay-day that sort of info could fetch!

      That's why it needs to come out, so others don't get ideas about collecting our data without letting us know first, this sort of shitty "app" needs destroying BEFORE people get any more stupid ideas.

    3. Gordon 10 Silver badge
      FAIL

      Let me correct that for you.

      If iOS contains it then its not just limited to carriers - no carrier can meddle with iOS.

      For Nexus see above. Until each Nexus manufacturer or Google confirm it we cannot be sure no Nexii have it.

      Its not a storm in a teacup. Its Never been demonstrated that the data is Transmitted, until this is confirmed or denied we dont know if this is a squall in a thimble or a hurricane in Soup Tureen.

    4. Tom 13

      Let me fix that for you:

      "...it's never been demonstrated that this software logs anything significant on an iPhone..."

      It has been demonstrated to log all keystrokes via SSL connections on Android. If that isn't significant, I don't know what is. And the caution here is that yesterday the Mactards were saying it wasn't on the iPhone at all. Today the investigator says it is there, but he hasn't located anything problematic. Apparently he hasn't looked extensively at the installation yet, so a deeper inspection might find something which has been obfuscated. Note that I'm not blaming Apple if there is, just as I don't blame Google for the Android problem. This problem belongs squarely with the carriers who install the software and don't tell punters what they are doing.

    5. Kirbini
      FAIL

      Maybe you should read the original piece?

      In which there'a video of the guy using tcpdump (what a shock!) live capture which shows his phone uploading every digit press on the phone pad, every query to google, even the HTTPS encrypted ones and even every incoming text message.

      Is that enough evidence for you or are you just trolling?

      1. Anonymous Coward
        Anonymous Coward

        Do you know what *tcpdump* is? Because that guy WAS NOT using tcpdump but just adb logcat. It means that there is still no proof that your HTTPS URLs are actually sent anywhere.

      2. Wile E. Veteran
        FAIL

        Where is the independent confirmation? (Again)

        Where is the independent confirmation CIQ is recording personal data? ANYBODY can make an edited video and post it on the net. I would think by now Reg readers would have the sophistication to understand seeing is NOT believing because videos and photographs can be Photoshopped or edited to make anything appear to be happening. How many "Internet videos" have the Mythbusters debunked, for example?

        Without INDEPENDENT duplication of the results, preferably by another method. It is just a tempest in a teapot and unworthy of belief.

      3. Vic

        > there'a video of the guy using tcpdump

        Are you sure about that?

        The video I watched (several times...) showed someone looking at a debug trace. I didn't see him using tcpdump.

        But every keypress was captured, every URL as well :-(

        Vic.

  7. Anonymous Coward
    Anonymous Coward

    Exactly what a diagnostics tool should do

    1) It can be easily turned OFF or ON

    2) You can see exactly what was sent was sent if on (it shows up under "Diagnostics & Usage data", if on you'll have a ton of awdd_* reports there)

    3) When ON it records only the essential information, doesn't need all your keystrokes and URLs, or even phone numbers you dialled.

    What I can't understand is why the Android version was made to be so intrusive.

    1. Chris 3

      Moreover

      Installing iOS 5 asks you upfront - would you like us diagnostic data?

    2. Peter H. Coffin

      If you never knew it was there until someone told you, how is it intrusive?

      1. Anonymous Coward
        Anonymous Coward

        Seriously?

        I nip round your house everyday while you are at work for a mooch through your stuff.

        1) I don't take anything

        2) You didn't know I did this until now

        Which means it is

        a) OK (As I'm not taking anything)

        b) Not intrusive (as you didn't know about it until now)

        Seriously?

  8. DrXym Silver badge

    Sim free

    More reason if any were needed to buy a sim free phone. When you work out how much a smart phone on contract costs these days its not like you're saving any money anyway.

    1. The Fuzzy Wotnot
      Unhappy

      Granted but not all of us have the 500 sovs upfront for the latest Apple or Samsung smartphone, easier to add £150 quid on the price and pay on the tick for the next 2 years!

      1. Anonymous Coward
        Anonymous Coward

        @Fuzzy

        SO like, why not get an older phone then?

        I'm still using a Samsung Jet (which is what, over 2 years old now?) and it. just. works. Has a touch screen, supports web & e-mail, has office-like features (agenda, notebook, etc.) and can sync itself to stuff like Outlook 2010 (with a little fiddling).

        Its not as if those older devices suddenly stopped working or something...

        1. The Fuzzy Wotnot

          I've been using my Missus' old second-hand iPhone 3G for the last 13 months, unlocked it and used it on a PAYG sim. The screen got smashed about 2 weeks ago and I just really fancied treating myself to something new for a change, so I paid half the cost of a Galaxy S2 phone and got a cheap monthly contract from O2. Normally I wouldn't bother, I've made do with a cheap £20 Alcaltel from Argos on PAYG for 6 months prior to getting the second-hand iPhone.

          I wasn't bemoaning the fact, simply pointing out that if you want ultra new and shiny it comes at a price, we all have to decide when the how much is too much.

    2. Chris 3
      Facepalm

      Dosen't matter

      This stuff runs on iPods; the data gets sent to Apple, not the carrier

  9. DJV Silver badge
    Devil

    Fan, Shit, Hit

    See above...

  10. Gil Grissum

    Nothing from the American Firms to give us the warm fuzzies about this nonsense? Sprint???

  11. Nigel 11
    Devil

    How illegal is this in the EU?

    I'm thinking that if it is confirmed that this software has been installed on any phones sold in the EU, then it will be curtains for carrier IQ and serious financial damage to any network that supplied a phone with it installed. The EU is hot on privacy ... and right now it needs every last cent it can lay its hands on.

  12. Sean Baggaley 1

    It's reports like this...

    ... that make me glad SIM-locked phones are so much less common across mainland EU.

    @The Fuzzy Wotnot: there's this concept called "saving up" you might want to look into. Taking out yet another loan is increasingly frowned-upon of late.

    1. Anonymous Coward
      Anonymous Coward

      Believe it or genius, if everyone suddenly stopped borrowing money the world's financial systems would disintegrate in a matter of days with zero hope of reprieve. Borrowing is what keeps the world's financial systems afloat. The system breaks down when you lend money to those you know cannot possibly pay it back and sell that debt to someone else, playing pass-the-parcelbomb, ala the US sub-prime mortgage fiasco. If some form of bond can be put up to secure the loan, no matter how large from a single mobile phone to national GDP sized, then financial institutions lending money will ensure you still have a job to go to tomorrow and not find yourself in a real life version of the Fallout 3 game!

  13. Hud Dunlap
    Big Brother

    Ask your bank

    Given that so many financial institutions pushing people to use their phones for banking etc.. the smart thing to do is ask them if it secure given this information.

  14. Will 28
    FAIL

    You really need to stop mentioning the SSL stuff

    You're just embarrassing yourselves. SSL protects the data during transport. This happens way before then, this is not even part of the communication stack. This is logging key presses, nothing to do with transport.

    To be honest it draws the credibility of this Eckhart chap into question given that he felt it was important to point out. He should have made it clear that SSL isn't intended to protect against this sort of situation.

    1. Anonymous Coward
      Anonymous Coward

      who needs credibility

      when it sounds better for the cameras?

  15. Allan 1

    Eternally Glad

    I am forever glad that I don't own a cellphone of any kind. I used to, 5 years ago, but I found that being permanently "connected" was actually quite intrusive. People knew they could get hold of me, even if I didn't want to be gotten hold of.

    If I dared turn it off, I got interrogated. "Why was your phone off...", so I decided to bin cellphones entirely, and don't regret it, ever.

    Sure I get a weird look when I tell people I don't have a cellphone, but who cares?

    1. Pirate Dave
      Pirate

      wow

      I was cellphone free for about 3 years, and didn't really miss it either. Only got it back when the oldest son started driving. Once the kids are grown and gone, the cell will probably go back into a drawer.

      Silence and disconnectedness are vastly under-rated these days.

    2. Anonymous Coward
      Anonymous Coward

      Quite right...

      ... except the problem isn't the phones, it's the people. Enola Gay didn't fly itself.

      I make it clear that I own a cellphone so that I can get hold of people, not so that people can get hold of me. Codependents are got rid of (sometimes forever) with the simple question "What part of 'Please leave me a message' didn't you understand?"

      There's one exception. I have always refused, and will continue to refuse, a work mobile; I insist that the office contact me on my personal mobile. They are then far less likely to think they have the right to call me out of hours. One company gave me one even when I had refused it, so not only did I keep it locked in a desk drawer at the office whenever I wasn't at work, I told them I was doing so. They didn't complain.

  16. rvt

    The guy was far from the first person to find it on the iPhone. Look it up in google and you can see that people found this software already last year and 2009...

    1. Anonymous Coward
      Anonymous Coward

      But..

      It wasn't in fashion then!

      Plus 'droiders were climbing up the walls following the giant eavesdropping hole that was found on their platform and desperately needed to pin at least some of it on iOS too.

      Not that I mind, they'll probably sleep better tonight and will be less cranky at work tomorrow.

  17. davefb

    'iphones ask'

    well yes, when you plug the iphone into itunes for the first time, it has some warning about 'diagnostics and such' , so obviously you say 'nah'.

    which is annoying, because those diagnostics appear to be the crash logs generated by apps... I'm guessing thats why whilst we have a few users complaining about crashing apps, we only have one uploaded crash report..

    as for the android logging, has anyone shown it actually sending the info it logs , because it does just seem to be the adb logcat output..

  18. Stevie Silver badge

    Bah!

    Why do we tolerate this sort of thing? Why do we allow it to continue year after year? Has the advent of cheap electronic communications blinded us to what is important?

    I speak, of course, of the unpronounceable name "chpwn".

    No-one who eschews vowels should be granted a platform to spout their views. In an ideal world there would be ubiquitous apps to force recalcitrant offenders to make their names make sense.

    I mean, only last week someone was bitching about "F'nor", and that was a made-up character's name.

    1. P. Lee
      Coat

      re: F'nor

      From the Dragonriders of Pern Series

      Wikipedia: Famanoran or F'nor (Fnōr) is the rider of the brown dragon Canth and was the son of Benden Weyr's former Weyrleader, F'lon and its current Headwoman Manora. He was also the half-brother of the current weyrleader, F'lar. He is a wingsecond at Benden.

      Ok, it is made up, but then, aren't all names?

      I know, misspent youth...

    2. alwarming
      Facepalm

      chpwn

      Its obviously a word play on the "chown" command. And actually a little bit funny as it says "pwn(pawn)" instead of "own". It gets funnier if you realize that he is a hacker.. implying he doesn't "own" your files.. just "pawns" them. etc.

    3. Anonymous Coward
      Anonymous Coward

      Not got any Welsh friends, then?

      (Or, not any more?)

  19. Anonymous Coward
    Anonymous Coward

    Weasel words?

    "We don't use it" isn't quite the same as "it isn't installed."

    Just because Telstra don't use it themselves doesn't mean that Telstra can't gain from Carrier IQ running on Telstra phones.

    Clarifications anyone?

    1. alwarming
      Big Brother

      Re: Clarifications anyone?

      Simply because they don't know!

      Just like TESCO doesn't know what hormones were injected in beef, similarly, Telstra has no practical way of knowing if its installed on any of the OEM phones or not. They are saying - "we don't install or use it. Don't flood our call centers".

      But are they legally responsible in case their phones are found to be using it ? I don't know... I suppose they might be on thin ice there if the phones they sell turn out to be collecting data illegally.

    2. eldakka Silver badge

      And "not using Carrier IQ" is not the same as "not using Carrier IQ or any similiar product".

  20. cosmo the enlightened
    Holmes

    We all act so shocked

    Look folks the business model of all these companies - Google, Facebook, etc is to get as much personal data from you as they can to either

    a: sell on

    b: improve their ability to advertise sh*t to you.

    We all act shocked and surprised when these stories keep coming up like it is some fricking epiphany.

    No sh*t Sherlock!

    Until the regulators fine someone until their eyes bleed every company who has a business model based upon selling your privacy on will continue to do so, and will use their EULA paragraph 9 sub section 24 in small print to get out of jail free.

    Blame the regulators for not laying down the law, blame the inter government agencies for not having a unified approach to privacy in the digital age, and most of all blame us every time we are shocked and outraged.

    These companies will continue to do this until the regulators get their act together.

    That is all...

  21. Mike Flugennock

    I know I've probably beaten this to death, but...

    ...every time I see a report like this on El Reg, it makes me even gladder that I own a "dumb" phone -- a 2004-vintage Samsung flip phone. Sends/receives voice calls and SMS. That's it. No Web, no email, no bullshit.

  22. Nameless Faceless Computer User
    Devil

    Isn't it obvious?

    For years, people marveled at Google Maps when it displays traffic information. We all watch the morning news and traffic report which lights up all the problem areas in red. Google Maps will give you traffic information even on small side streets.

    So, nobody is wondering where all this traffic data comes from? It comes from spying on your cell phone location with this software. duh!

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2021