
Security researcher responds to CarrierIQ with video proof - ukdm
http://www.geek.com/articles/mobile/security-researcher-responds-to-carrieriq-with-video-proof-20111129/
======
billybob
TL;DR - On a Sprint HTC Android phone, an app is running without the user's
knowledge, which cannot be disabled, which monitors nearly everything you do,
down to keypresses, and reports back to the third-party company CarrierIQ,
which presumably shares it with the carrier for QoS. Alarmingly, it includes
even HTTPS passwords, even when you're connecting over WiFi.

~~~
jellicle
Note that under U.S. law, any information you voluntarily relinquish to an
entity that is not your ISP has basically zero protection. None, nada. Any law
enforcement agency can get every bit of data stored about you by CarrierIQ
without ever notifying you, and you don't have a 4th Amendment privacy right
in the data.

~~~
cgag
What protection do we get with information given to an ISP?

~~~
jellicle
This:

[http://en.wikipedia.org/wiki/Electronic_Communications_Priva...](http://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act)

which is low, but better than nothing.

------
jgrahamc
What's missing in the video is information about what Carrier IQ's application
is sending back to them.

For example, if they get called on each keystroke then they may be simply
keeping a count of number of key presses and providing that information so
they can derive device usage.

The whole thing would be clarified if there was information about what is
transmitted. The article states "This video has demonstrated a truly
significant volume of information is being recorded." Actually it doesn't
demonstrate that, it demonstrates that APIs get called in the Carrier IQ
application that contain that information. That's not the same thing as
recording or even parsing it.

For example, my antivirus software on my machine gets to see all my files, all
my email and all my web browsing. Everything. Doesn't make it evil.

~~~
click170
What I'd like to see is a tcpdump consisting of ciq phoning home.

It's accused that they're recording everything and sending it home, they admit
to recording some things _and sending it home_. They also make a claim about
encryption that I interpret to mean it's encrypted in transit. I'd like to see
exactly what's going on, too bad I don't have a phone with ciq.

------
pkteison
If you have a Sprint Android phone, google up a ROM with NOCIQ and install it.
Run something like "SMS backup and restore" and "Titanium backup" first to
save sms and app data before wiping the phone for the new ROM. For the new
ROM, easiest way I know is via "ROM Manager" on the app store, it's a couple
clicks and a few reboots and some waiting on a big download. (Personally on my
Sprint Epic I am running CleanGB because I like the stock interface, but
plenty of ROMs have NOCIQ.)

Yes, I have to trust that some hacker who built this rom did just what he said
he did and stripped CIQ and didn't replace it with his own nefarious logger.
But I actually think trust-ROM-hacker is safer than running a known keylogger.

------
thebigshane
Response from CarrierIQ on their site
[PDF][[http://www.carrieriq.com/Media_Alert_User_Experience_Matters...](http://www.carrieriq.com/Media_Alert_User_Experience_Matters_11_16_11.pdf)]:

    
    
       Mountain View, CA – November 16, 2011 – Carrier IQ would like to clarify 
       some recent press on how our product is used and the information that is 
       gathered from smartphones and mobile devices. 
      
       Carrier IQ delivers Mobile Intelligence on the performance of mobile devices and 
       networks to assist operators and device manufacturers in delivering high quality 
       products and services to their customers. We do this by counting and measuring 
       operational information in mobile devices – feature phones, smartphones and 
       tablets. This information is used by our customers as a mission critical tool to 
       improve the quality of the network, understand device issues and ultimately 
       improve the user experience. Our software is embedded by device 
       manufacturers along with other diagnostic tools and software prior to shipment. 
      
       While we look at many aspects of a device’s performance, we are counting and 
       summarizing performance, not recording keystrokes or providing tracking 
       tools.  The metrics and tools we derive are not designed to deliver such 
       information, nor do we have any intention of developing such tools. The 
       information gathered by Carrier IQ is done so for the exclusive use of that 
       customer, and Carrier IQ does not sell personal subscriber information to 3rd 
       parties. The information derived from devices is encrypted and secured within 
       our customer’s network or in our audited and customer-approved facilities. 
      
       Our customers have stringent policies and obligations on data collection and 
       retention. Each customer is different and our technology is customized to their 
       exacting needs and legal requirements. Carrier IQ enables a measurable impact 
       on improving the quality and experience of our customers’ mobile networks and 
       devices. Our business model and technology aligns exclusively with this goal. 
    
       For media Commentary, contact: 
       Mira Woods 
       Phone: 617-513-7020 
       Email: mwoods@carrieriq.com

~~~
thebigshane
Some other tidbits from elsewhere on their site:

    
    
       Mobile Service Intelligence is the process of analyzing 
       data from phones to give you a uniquely powerful insight 
       into mobile service quality and user behavior. 
       [...]
       We know you don't just want data, you want to solve
       business problems and identify new business opportunities.
       [...]
       What's more, the combination of the MSIP and IQ Insight 
       lets you move seamlessly from broad trend data across 
       many users, through comparative groups down to diagnostic
       data from individual devices. Now, not only can you 
       identify trends, you have the power to drill down to 
       specific instances[...]
    

While I understand the need for QoS metrics, this does seem a bit invasive if
you didn't know it was happening.

An apparent example of some metrics they collect:
[http://www.carrieriq.com/overview/IQInsightExperienceManager...](http://www.carrieriq.com/overview/IQInsightExperienceManager/IQINWebExperMgrgraphic.jpg)

------
kevin_jacobs
It's beyond time for some real privacy laws in this country, but I'm curious..
Can existing laws cover this? For example from what I understand, PCI
compliance is required for storing credit card information. If CIQ is
capturing this information along with all keystrokes, does the same law apply
to them? And are they abiding by it?

~~~
lftl
PCI compliance isn't a law, but rather a contractual agreement as part of your
merchant account, and/or transaction gateway. If CIQ isn't taking credit card
payments, it has nothing to do with them.

~~~
kevin_jacobs
Thanks, it seemed like a stretch anyway.

------
runjake
CarrierIQ released a response to TrevE's initial post at:

[http://www.carrieriq.com/Media_Alert_User_Experience_Matters...](http://www.carrieriq.com/Media_Alert_User_Experience_Matters_11_16_11.pdf)

However, at the same time, they had carrier-oriented screenshots of their
products detailing a scary level of information about devices and users.

It appears that they done some "tidying" up of their site in the past few
days. Their Device Manager product page had high resolution images of the
scary data their product collects. They've since been replaced, and I can't
find the same great screenshots chock full of information that is directly
contrary to their statement.

------
DanBC
(<http://www.carrieriq.com/>)

> _Handsets currently deployed 141,263,xxx_

~~~
cskau
Their front page animation makes me think of Enemy of the State.

The most frightening thing is almost how proudly they present their level of
surveillance.

------
click170
Howcome the FTC isn't all over this?

Because 6 months haven't passed, is that it?

------
MichaelGG
It looks as if this is just a debug log; is there any information on what is
_sent_ off-device? Is it possible this is just stupid over-zealous
troubleshooting/debugging logging left in?

Although, if these logs are always on, it seems like it might be a problem as
third-party apps can request log reading permission. So even if CIQ isn't
sending this info, another app might pick it up and use it. Also, I would
guess there might be a performance impact if every touch is logged.

~~~
er5oie
Question: Say CiQ only sends data via the cellular network. Then how do you
find out what it's sending?

------
mikemarotti
Hope these guys have a contingency plan for when their massive DB gets
compromised by some angry 15 year olds. Especially when said 15 year olds
decide to dump a year's worth of plaintext keylog information.

What's most sad about this situation is that these guys were able to get this
software on 150 million handsets and we're only finding out about this now.

------
strags
This is just an adb log. Certainly, it seems that the CIQ application is
hooking every event on the phone... but that's a far cry from demonstrating
that it's sending that information back to CarrierIQ - or even recording it at
all.

~~~
bdonlan
Information recorded in the logs are transmitted to google when you submit a
crash report. So although they may not intend to send this information out,
they're making it really easy for all this information to be inadvertently
leaked to a third party (google).

~~~
strags
Yeah, I'd absolutely agree that it's bad security practice to print sensitive
information to a system-wide log. But the tone of the responses seem to
suggest that people think this is something much more sinister.

------
petegrif
Horrific.

