
Researcher’s Video Shows Software on Millions of Phones Logging Everything - ssclafani
http://www.wired.com/threatlevel/2011/11/secret-software-logging-video/
======
gacek
The video does not show that anything is being logged or sent through the
network.

All it shows is that a phone monitoring agent is informed about events that
might be important while debugging - receiveing text, making calls, opening
websites, pressing buttons. And that its hard to kill this agent without
rooting the device.

What is important is: 1\. Is the data logged on the device? (I guess that
should be easy on a rooted device), 2\. Is there any data sent even if the
'htc quality agent' is not activated? (route it through a linux box, tcpdump)
3\. Is the data really anonymized if the 'htc quality agent' is enabled?

~~~
codeonfire
"There's no evidence that this crack pipe was used to consume crack cocaine"

The entire purpose of the application is ostensibly to send user activity to a
corporation called Carrier IQ. I think the burden of proof is on the
application whose purpose is to send user activity to Carrier IQ as to whether
or not collected user activity including keystrokes is being sent to Carrier
IQ. The fact that the software is able to gain keystroke events and SMS
communications at all is a security breach.

I'm sure the problem of determining what confidential information is leaving
the device is being worked on right now.

------
gojomo
CarrierIQ's logs are now a mighty-high-value target.

Given their denials so far it's possible they have years of logs... logs
containing every password ever typed into 'most modern' Android, Blackberry,
and Nokia phones.

------
DanBC
Millions sounds like a few million, maybe twenty million at most. It is, in
fact, 141 million phones.

(<http://www.carrieriq.com/>)

> *Handsets currently deployed: 141,275,xxx

I've used xxx because the number just counts up.

------
jgrahamc
I don't understand why there's no proof, or even evidence that the researcher
went look for proof, of the claims that this data is being sent to CarrierIQ.

[http://blog.jgc.org/2011/11/getting-little-tired-of-
security...](http://blog.jgc.org/2011/11/getting-little-tired-of-
security.html)

~~~
EwanToo
It's nuts, isn't it?

It seems pretty clear the software doesn't actually transmit the data that it
accesses, for a start receiving the volumes of data supposedly involved would
require a data center the size of the moon.

CarrierIQ does lots of stuff I don't like, but it's not sending my banking
passwords to a server in the USA.

~~~
Groxx
Check your math. You're talking about recording the keystrokes and URLs people
visit on smartphones. That adds up to such a phenomenally-small fraction of
the data they actually download, storage for all 141+ million users could
probably be accomplished by your average geek with a checkbook.

For scale, lets assume that each user sends, oh, 100 megabytes of data over a
year. Roughly equivalent to 100 million characters, or (going with a 5mb ascii
version of the bible I just googled) 20 bibles worth of text, or 1 million
URLs at 100 characters long (that's roughly one URL every 30 seconds), so this
is likely an overestimate, possibly substantially. And they have all 141
million users for the full year. Punch in the numbers, and you get 141
terabytes of data. Without compression.

That's _microscopic_. I can buy hard drives for that off the shelf for not too
much money. Here, Backblaze sells that much for $7.4k in a _single box_ ,
which is absolute _pennies_ to a company with 141 million customers:
[http://blog.backblaze.com/2011/07/20/petabytes-on-a-
budget-v...](http://blog.backblaze.com/2011/07/20/petabytes-on-a-
budget-v2-0revealing-more-secrets/)

Meanwhile, Amazon has pricing tiers going into the petabytes for S3, and very
likely receives _far_ more than our theoretical 141TB in a single day. And
they're not the size of the moon.

------
suprgeek
The one small benefit of owning a Pure Google phone (Nexus One) none of this
crap sneaks in. Otherwise this is just a Security and Privacy Nightmare. The
disadvantage is no Ice cream Sandwich :(

~~~
wladimir
Yes a google phone is probably best from a privacy perspective, as you have
full control over the phone, but AFAIK if you buy a pure Samsung, or other
brand, phone, without "carrier customization", you're also free of this shit.
It's the (US?) carriers that push this trojan on it.

Feel free to prove me wrong though...

~~~
fuzzix
I would be very interested to know if this is in use outside the US
(specifically, inside the EU).

Looks like a serious breach of data protection directives:

<http://en.wikipedia.org/wiki/Data_Protection_Directive>

Personally identifiable, highly personal information gathered by a third party
without permission, let alone notification.

~~~
miahi
I have an European Orange-branded HTC Desire S and I see no Carrier IQ related
tasks in my task manager.

------
jarofgreen
From checking the applications list, this doesn't seem to be running on my
2-year old HTC hero I brought unlocked ...

What would be good to have is a sure fire way of checking if it's running, and
a clear list of which phones have this and which don't. I hope someone is
gearing up to sue the f- out of Carrier IQ, but if not, I'd like to have the
information publicly available so we can all invoke those old free market
principals of customer choice and choose not to buy any phones with this on.

~~~
mattmanser
It doesn't appear on the application list.

Hence the word 'secret' in the title and the word rootkit multiple times in
the article.

~~~
jarofgreen
Did you watch the video, where he showed "HTC IQ Agent" and "IQR(something)"?

------
mikecane
East Germany's Stasi is back. It's called Carrier IQ. Really, the kind of
step-by-step info gathering there should require a court order in the U.S..

It was shown also working on WiFi. How can we tell if this is also on Android
tablets?

Are we yet sure this is not in iOS at all?

~~~
leot
One advantage of a walled garden is less diffusion of responsibility.

------
1010100101
This company just seems so over the top, it's surreal.

There's probably plenty more like them that us plebes don't know about.

What would we do without EFF?

~~~
fl3tch
What would we do without hackers?

------
garethsprice
So my carrier can see what numbers I call, see my text messaging habits and
see what websites I visit, all tied to a unique handset ID?

This is preposterous. Next thing you know, they'll be using this information
to send you a bill at the end of the month based on who you call and how much
bandwidth you've used!

~~~
orangecat
_So my carrier can see what numbers I call, see my text messaging habits and
see what websites I visit, all tied to a unique handset ID?_

And every keystroke that you enter in "secure" connections, and everything you
do offline.

~~~
1010100101
You got a problem with that? :)

~~~
1010100101
There is no sense of humour on HN.

------
Xuzz
I'm going to give the benefit of the doubt to HTC, Verizon, and even Carrier
IQ here: I don't think any of them wanted a keylogger running on all these
phones (at least, not to this extent). It's likely just a big misunderstanding
between the companies.

But, just because something like this _was_ able to sneak it's way onto there,
it does give the Microsoft (WP7) and Apple model of strict control some
validity that it might be beneficial to users. I wouldn't expect to see
something like this on WP7, where carriers get only a separate category in the
Marketplace and for manufacturers, (I believe) only Nokia can add
applications. (Same for iOS, where it's all Apple, but WP7 proves that the
secure model could possibly work for a more distributed ecosystem like
Android.)

~~~
Groxx
I'm having trouble seeing how Carrier IQ could be given the benefit of the
doubt in this. (edit: the phone producers / carriers, possibly, though I'd
_hope_ they'd audit what they're selling. Expect, no, just hope.)

1) their software logs all keystrokes. 2) their software sends all keystrokes
to their servers. 3) they denied it did so.

Those don't add up to reasonable doubt any way I can see it. If they _were_
using that information for understanding crashes, dropped calls, etc, then
they would have _seen_ that it was recording everything, and would have seen
it many many many times. It _can't_ have slipped past their notice unless it
was totally un-used, and then they should've raised an eyebrow at the massive
numbers of signals being sent to their domains.

~~~
willscott
The video didn't show any evidence of data being transferred off of the phone,
besides being logged to the USB logger.

Is it possible that this is simply a tool to allow for USB debugging of the
UI? Otherwise, are there details (how often, what) is getting sent back to the
carriers or to this company?

~~~
FaceKicker
That was my question after watching the video as well... I was surprised he
didn't try doing a tcpdump or something to see what (if anything) was actually
being transmitted off the phone with each of those debug messages, though I
don't know if that's possible to do without rooting it. Maybe it would be
possible to get the Carrier IQ apps running on a rooted device to test this?

~~~
karolist
You don't need to do tcpdump on the device itself, associating it with your
wifi access point and running tcpdump there filtering on client ip would yield
the same result.

I'm surprised he didn't do that too, would love to try it myself, can't for a
week or so though, someone will have done it by then.

~~~
FaceKicker
Hah, that's a better idea. Unless it only transfers the data through a cell
data connection (I don't really see any good reason why that would be the case
but it's a remote possibility).

~~~
stefs
the article states this is not the case - it also uses wifi.

