The video does not show that anything is being logged or sent through the network.
All it shows is that a phone monitoring agent is informed about events that might be important while debugging - receiveing text, making calls, opening websites, pressing buttons. And that its hard to kill this agent without rooting the device.
What is important is:
1. Is the data logged on the device? (I guess that should be easy on a rooted device),
2. Is there any data sent even if the 'htc quality agent' is not activated? (route it through a linux box, tcpdump)
3. Is the data really anonymized if the 'htc quality agent' is enabled?
"There's no evidence that this crack pipe was used to consume crack cocaine"
The entire purpose of the application is ostensibly to send user activity to a corporation called Carrier IQ. I think the burden of proof is on the application whose purpose is to send user activity to Carrier IQ as to whether or not collected user activity including keystrokes is being sent to Carrier IQ. The fact that the software is able to gain keystroke events and SMS communications at all is a security breach.
I'm sure the problem of determining what confidential information is leaving the device is being worked on right now.
CarrierIQ's logs are now a mighty-high-value target.
Given their denials so far it's possible they have years of logs... logs containing every password ever typed into 'most modern' Android, Blackberry, and Nokia phones.
I don't understand why there's no proof, or even evidence that the researcher went look for proof, of the claims that this data is being sent to CarrierIQ.
It seems pretty clear the software doesn't actually transmit the data that it accesses, for a start receiving the volumes of data supposedly involved would require a data center the size of the moon.
CarrierIQ does lots of stuff I don't like, but it's not sending my banking passwords to a server in the USA.
Check your math. You're talking about recording the keystrokes and URLs people visit on smartphones. That adds up to such a phenomenally-small fraction of the data they actually download, storage for all 141+ million users could probably be accomplished by your average geek with a checkbook.
For scale, lets assume that each user sends, oh, 100 megabytes of data over a year. Roughly equivalent to 100 million characters, or (going with a 5mb ascii version of the bible I just googled) 20 bibles worth of text, or 1 million URLs at 100 characters long (that's roughly one URL every 30 seconds), so this is likely an overestimate, possibly substantially. And they have all 141 million users for the full year. Punch in the numbers, and you get 141 terabytes of data. Without compression.
That's microscopic. I can buy hard drives for that off the shelf for not too much money. Here, Backblaze sells that much for $7.4k in a single box, which is absolute pennies to a company with 141 million customers: http://blog.backblaze.com/2011/07/20/petabytes-on-a-budget-v...
Meanwhile, Amazon has pricing tiers going into the petabytes for S3, and very likely receives far more than our theoretical 141TB in a single day. And they're not the size of the moon.
The one small benefit of owning a Pure Google phone (Nexus One) none of this crap sneaks in. Otherwise this is just a Security and Privacy Nightmare. The disadvantage is no Ice cream Sandwich :(
Yes a google phone is probably best from a privacy perspective, as you have full control over the phone, but AFAIK if you buy a pure Samsung, or other brand, phone, without "carrier customization", you're also free of this shit. It's the (US?) carriers that push this trojan on it.
From checking the applications list, this doesn't seem to be running on my 2-year old HTC hero I brought unlocked ...
What would be good to have is a sure fire way of checking if it's running, and a clear list of which phones have this and which don't. I hope someone is gearing up to sue the f- out of Carrier IQ, but if not, I'd like to have the information publicly available so we can all invoke those old free market principals of customer choice and choose not to buy any phones with this on.
So my carrier can see what numbers I call, see my text messaging habits and see what websites I visit, all tied to a unique handset ID?
This is preposterous. Next thing you know, they'll be using this information to send you a bill at the end of the month based on who you call and how much bandwidth you've used!
@ 15:00, you can see your keystrokes are being sent to the app even when the local wireless connection is being used (not 3G). The example is a search request to https://google.com (note, https), and the app is seeing your search string.
That's much, much, more than you expect your ISP to have access to. It's essentially a keylogger running on a computer (your phone) that you own.
I'm going to give the benefit of the doubt to HTC, Verizon, and even Carrier IQ here: I don't think any of them wanted a keylogger running on all these phones (at least, not to this extent). It's likely just a big misunderstanding between the companies.
But, just because something like this was able to sneak it's way onto there, it does give the Microsoft (WP7) and Apple model of strict control some validity that it might be beneficial to users. I wouldn't expect to see something like this on WP7, where carriers get only a separate category in the Marketplace and for manufacturers, (I believe) only Nokia can add applications. (Same for iOS, where it's all Apple, but WP7 proves that the secure model could possibly work for a more distributed ecosystem like Android.)
I'm having trouble seeing how Carrier IQ could be given the benefit of the doubt in this. (edit: the phone producers / carriers, possibly, though I'd hope they'd audit what they're selling. Expect, no, just hope.)
1) their software logs all keystrokes. 2) their software sends all keystrokes to their servers. 3) they denied it did so.
Those don't add up to reasonable doubt any way I can see it. If they were using that information for understanding crashes, dropped calls, etc, then they would have seen that it was recording everything, and would have seen it many many many times. It can't have slipped past their notice unless it was totally un-used, and then they should've raised an eyebrow at the massive numbers of signals being sent to their domains.
The video didn't show any evidence of data being transferred off of the phone, besides being logged to the USB logger.
Is it possible that this is simply a tool to allow for USB debugging of the UI? Otherwise, are there details (how often, what) is getting sent back to the carriers or to this company?
That was my question after watching the video as well... I was surprised he didn't try doing a tcpdump or something to see what (if anything) was actually being transmitted off the phone with each of those debug messages, though I don't know if that's possible to do without rooting it. Maybe it would be possible to get the Carrier IQ apps running on a rooted device to test this?
You don't need to do tcpdump on the device itself, associating it with your wifi access point and running tcpdump there filtering on client ip would yield the same result.
I'm surprised he didn't do that too, would love to try it myself, can't for a week or so though, someone will have done it by then.
Hah, that's a better idea. Unless it only transfers the data through a cell data connection (I don't really see any good reason why that would be the case but it's a remote possibility).
It's not mentioned in the article but the whole reason this was picked up by the researcher is on that particular Sprint/HTC ROM, they left the debugging messages in the rootkit enabled by accident. I do wish he had at least shown the TCP/IP packets with the full sms content and the https google search query in plain text.
All it shows is that a phone monitoring agent is informed about events that might be important while debugging - receiveing text, making calls, opening websites, pressing buttons. And that its hard to kill this agent without rooting the device.
What is important is: 1. Is the data logged on the device? (I guess that should be easy on a rooted device), 2. Is there any data sent even if the 'htc quality agent' is not activated? (route it through a linux box, tcpdump) 3. Is the data really anonymized if the 'htc quality agent' is enabled?