TL;DR - On a Sprint HTC Android phone, an app is running without the user's knowledge, which cannot be disabled, which monitors nearly everything you do, down to keypresses, and reports back to the third-party company CarrierIQ, which presumably shares it with the carrier for QoS. Alarmingly, it includes even HTTPS passwords, even when you're connecting over WiFi.
The MitM attack inserted into the HTTPS implementation is the most depressing part. I'm just stunned that serious people would have ever agreed to this. Now how long until an on-device attack against CiQ compromises real data?
I think you mean it includes HTTPS URLs. At least from the video, there doesn't seem to be any information about logging HTTP authentication or form submitted data.
This is also a reason why you shouldn't put sensitive information in the querystring even if using HTTPS - too many systems might accidentally log or show that in history.
It would, because they wouldn't just be able to passively log in, they would have to enter the password, reroute the sms (so that I didn't see it) and then log in to the email system (which is recorded on "this account was last accessed at").
Note that under U.S. law, any information you voluntarily relinquish to an entity that is not your ISP has basically zero protection. None, nada. Any law enforcement agency can get every bit of data stored about you by CarrierIQ without ever notifying you, and you don't have a 4th Amendment privacy right in the data.
What's missing in the video is information about what Carrier IQ's application is sending back to them.
For example, if they get called on each keystroke then they may be simply keeping a count of number of key presses and providing that information so they can derive device usage.
The whole thing would be clarified if there was information about what is transmitted. The article states "This video has demonstrated a truly significant volume of information is being recorded." Actually it doesn't demonstrate that, it demonstrates that APIs get called in the Carrier IQ application that contain that information. That's not the same thing as recording or even parsing it.
For example, my antivirus software on my machine gets to see all my files, all my email and all my web browsing. Everything. Doesn't make it evil.
What I'd like to see is a tcpdump consisting of ciq phoning home.
It's accused that they're recording everything and sending it home, they admit to recording some things and sending it home. They also make a claim about encryption that I interpret to mean it's encrypted in transit. I'd like to see exactly what's going on, too bad I don't have a phone with ciq.
If you have a Sprint Android phone, google up a ROM with NOCIQ and install it. Run something like "SMS backup and restore" and "Titanium backup" first to save sms and app data before wiping the phone for the new ROM. For the new ROM, easiest way I know is via "ROM Manager" on the app store, it's a couple clicks and a few reboots and some waiting on a big download. (Personally on my Sprint Epic I am running CleanGB because I like the stock interface, but plenty of ROMs have NOCIQ.)
Yes, I have to trust that some hacker who built this rom did just what he said he did and stripped CIQ and didn't replace it with his own nefarious logger. But I actually think trust-ROM-hacker is safer than running a known keylogger.
It's beyond time for some real privacy laws in this country, but I'm curious.. Can existing laws cover this? For example from what I understand, PCI compliance is required for storing credit card information. If CIQ is capturing this information along with all keystrokes, does the same law apply to them? And are they abiding by it?
PCI compliance isn't a law, but rather a contractual agreement as part of your merchant account, and/or transaction gateway. If CIQ isn't taking credit card payments, it has nothing to do with them.
Actually, as pointed out in the article much of this behavior is counter to the stated privacy policies of the carrier. That's a breach of contract, and I suspect an enterprising lawyer could turn this into a class action suit.
Mountain View, CA – November 16, 2011 – Carrier IQ would like to clarify
some recent press on how our product is used and the information that is
gathered from smartphones and mobile devices.
Carrier IQ delivers Mobile Intelligence on the performance of mobile devices and
networks to assist operators and device manufacturers in delivering high quality
products and services to their customers. We do this by counting and measuring
operational information in mobile devices – feature phones, smartphones and
tablets. This information is used by our customers as a mission critical tool to
improve the quality of the network, understand device issues and ultimately
improve the user experience. Our software is embedded by device
manufacturers along with other diagnostic tools and software prior to shipment.
While we look at many aspects of a device’s performance, we are counting and
summarizing performance, not recording keystrokes or providing tracking
tools. The metrics and tools we derive are not designed to deliver such
information, nor do we have any intention of developing such tools. The
information gathered by Carrier IQ is done so for the exclusive use of that
customer, and Carrier IQ does not sell personal subscriber information to 3rd
parties. The information derived from devices is encrypted and secured within
our customer’s network or in our audited and customer-approved facilities.
Our customers have stringent policies and obligations on data collection and
retention. Each customer is different and our technology is customized to their
exacting needs and legal requirements. Carrier IQ enables a measurable impact
on improving the quality and experience of our customers’ mobile networks and
devices. Our business model and technology aligns exclusively with this goal.
For media Commentary, contact:
Mira Woods
Phone: 617-513-7020
Email: mwoods@carrieriq.com
Mobile Service Intelligence is the process of analyzing
data from phones to give you a uniquely powerful insight
into mobile service quality and user behavior.
[...]
We know you don't just want data, you want to solve
business problems and identify new business opportunities.
[...]
What's more, the combination of the MSIP and IQ Insight
lets you move seamlessly from broad trend data across
many users, through comparative groups down to diagnostic
data from individual devices. Now, not only can you
identify trends, you have the power to drill down to
specific instances[...]
While I understand the need for QoS metrics, this does seem a bit invasive if you didn't know it was happening.
However, at the same time, they had carrier-oriented screenshots of their products detailing a scary level of information about devices and users.
It appears that they done some "tidying" up of their site in the past few days. Their Device Manager product page had high resolution images of the scary data their product collects. They've since been replaced, and I can't find the same great screenshots chock full of information that is directly contrary to their statement.
It looks as if this is just a debug log; is there any information on what is sent off-device? Is it possible this is just stupid over-zealous troubleshooting/debugging logging left in?
Although, if these logs are always on, it seems like it might be a problem as third-party apps can request log reading permission. So even if CIQ isn't sending this info, another app might pick it up and use it. Also, I would guess there might be a performance impact if every touch is logged.
Hope these guys have a contingency plan for when their massive DB gets compromised by some angry 15 year olds. Especially when said 15 year olds decide to dump a year's worth of plaintext keylog information.
What's most sad about this situation is that these guys were able to get this software on 150 million handsets and we're only finding out about this now.
This is just an adb log. Certainly, it seems that the CIQ application is hooking every event on the phone... but that's a far cry from demonstrating that it's sending that information back to CarrierIQ - or even recording it at all.
Information recorded in the logs are transmitted to google when you submit a crash report. So although they may not intend to send this information out, they're making it really easy for all this information to be inadvertently leaked to a third party (google).
Yeah, I'd absolutely agree that it's bad security practice to print sensitive information to a system-wide log. But the tone of the responses seem to suggest that people think this is something much more sinister.
