Carrier IQ Drops Empty Legal Threat, Apologizes to Security Researcher

For those not familiar with the situation involving Carrier IQ:

Carrier IQ is a Rootkit - Android Security Test

In an attempt to stop any damage, Carrier IQ sued the security researcher, but with EFF's help the baseless lawsuit was beaten back and the company apologized.

Carrier IQ Drops Empty Legal Threat, Apologizes to Security Researcher - EFF

Bugger off!
I hope they don't move to har

 

Rootkit on millions of smartphones?

http://www.wired.com/threatlevel/2011/11/secret-software-logging-video/

http://androidsecuritytest.com/features/logs-and-services/loggers/carrieriq/

http://androidsecuritytest.com/features/logs-and-services/loggers/carrieriq/carrieriq-part2/

I'm glad that I'm not using a smartphone

 

Re: Rootkit on millions of smartphones?

Links 2/3 don't work.

And it's pretty easy to not get infected. I only install apps that I know are legit.

Using a custom ROM is a nice way to avoid built in "malware."

 

Re: Rootkit on millions of smartphones?

They work for me. I had to click the reload button, though.

But it seems that this rootkit is installed by default on many smartphones.

 

Re: Rootkit on millions of smartphones?

Yes, that's why using a custom ROM is my recommendation. I don't know of any ROMs that leave it in.

 

Interesting Searching__, thanks for posting.

 

The vendors allow installation of this plague?
I thought you can't install junk without google's blessing on those things.

 

I hope those guys get sued...

 

An article about Carrier IQ on iOS/iPhone:
http://blog.chpwn.com/post/13572216737

 

Senator Seeks Answers About Phone Logging Software (Carrier IQ called "rootkit")

http://www.npr.org/blogs/thetwo-way...wers-about-phone-logging-software?sc=fb&cc=fp

http://www.npr.org/blogs/thetwo-way...ret-software-on-phones-logs-nearly-everything

 

Carrier IQ tracking on Android, iPhone, BlackBerry, and more: the story so far

 

CarrierIQ NOT on Windows Phone 7 devices, or Nexus, Verizon, Vodafone, Nokia devices

 

Critics Line Up to Bash Maker of Secret Phone-Monitoring Software

More

 

Well I suppose one question is why didn't any of the security software I've used on my Android detect this? Either it slipped right passed or was white listed. Any other explanation? I've used BitDefender, Dr. Web, Kaspersky, Zoner, Webroot...maybe some others. But none alerted to this "rootkit" type behavior.

 

LA Times up with a story that Eckhart is wrong:
http://latimesblogs.latimes.com/technology/2011/12/carrier-iq-privacy.html

 

Interestingly, Carrier IQ does not mention anything about not recording internet activity such as searches (even https sites as on the Eckhart video) or web browsing...or collecting key strokes from that activity.

 

Carrier IQ 'Vigorously Disagrees' with Critics
December 1, 2011


Carrier IQ, the analytics firm which has been under fire for cell phone data its software is able to collect unbeknownst to users, has offered a new explanation for what its technology can and can't do, and how its operator customers use it.

"While a few individuals have identified that there is a great deal of information available to the Carrier IQ software inside the handset, our software does not record, store or transmit the contents of SMS messages, email, photographs, audio or video," the company said in a statement released Thursday.

Carrier IQ also said that it "vigorously disagrees" with allegations that the company has violated wiretap laws.

Among Carrier IQ's customers are Sprint, AT&T, and T-Mobile—three of the nation's four largest wireless carriers. The fourth, Verizon, has said it doesn't use Carrier IQ. Sprint and AT&T said Thursday that they use the software for network performance purposes and not user tracking.

Carrier IQ itself says that its technology "makes your phone better by delivering intelligence on the performance of mobile devices and networks to help the operators provide optimal service efficiency." Carrier IQ software is deployed on 141 million handsets and growing, according to the company.

Security researcher Trevor Eckhart published a report last month that described how Carrier IQ's software is able to track cell phone activity such as texts, call history, apps used, and location history. That led Carrier IQ to send a cease-and-desist letter to Eckhart, but the company later recanted and apologized for doing so.

Carrier IQ said Thursday's statement was an "update" to its Nov. 23 statement, presumably the apology and clarification it released on that date concerning the Eckhart matter.

The company may have felt obliged to further defend itself given that Congress on Thursday inserted itself into the fray, with Sen. Al Franken (D-Minn.) penning a letter to Carrier IQ CEO Larry Lenhart asking for specific information about the type of data collected by the company's software.

"Consumers need to know that their safety and privacy are being protected by the companies they trust with their sensitive information," Franken said in a statement. "The revelation that the locations and other sensitive data of millions of Americans are being secretly recorded and possibly transmitted is deeply troubling."

Eckhart also has not been mollified by Carrier IQ's explanations. As PCMag.com's sister site Geek.com reported this week, the researcher has released a video (below) that demonstrates how Carrier IQ technology runs in the background on an Android-based HTC smartphone, though it does not show up on the list of active applications and Eckhart said he could not force stop Carrier IQ from running.

In its statement, Carrier IQ said consumer privacy is protected through its "trusted relationship" with its operator customers.

"As a condition of its contracts with operators, CIQ operates exclusively within that framework and under the laws of the applicable jurisdiction," the statement said. "The data we gather is transmitted over an encrypted channel and secured within our customers' networks or in our audited and customer-approved facilities."

Carrier IQ also quoted Infidel Inc. security analyst Rebecca Bace as saying that "allegations of keystroke collection or other surveillance of mobile device user's content [by Carrier IQ] are erroneous."

http://www.pcmag.com/article2/0,2817,2397141,00.asp

 

Rebecca/Becky Bace has an impressive resume and career.

"Her career includes roles in research, development, operational management, and strategy, in settings ranging from the U.S. Intelligence Community (NSA) to a national laboratory (Los Alamos National Laboratory) to her current role as a strategic consultant in Silicon Valley. Ms. Bace is currently President and CEO of Infidel, Inc., a strategic consulting firm focusing on information security and risk management, and a venture consultant for Trident Capital, where she oversees Trident’s security-related investment portfolio.
Although Ms. Bace is acknowledged most often for her work in intrusion detection (she is credited with successfully funding and transferring the first generation of intrusion detection technology to the commercial market,) she is also considered an key influencer in other security technology areas.
Her publication credits include the books Intrusion Detection (Macmillan, 2000) and (with Fred Chris Smith) A Guide to Forensic Testimony: The Art and Practice of Presenting Testimony as An Expert Technical Witness, (Addison-Wesley, October, 2002)" link

Some witness for the defendant.
I wonder if she's asked to defend Carrier IQ's 'network diagnostic tool' because of her 'network expertise' or because of her role as a venture capital consultant.

And how do you get this program on your phone?
Is it installed by the phone manufacturer or carrier?
Only on 'carrier package phones'; installed on a phone by the manufacturer on behalf of the carrier or can you also 'get' it when buying a phone and sim separately?

 

"Consumer Watchdog wants probe of Carrier IQ, carriers" : https://www.computerworld.com/s/art...ts_probe_of_Carrier_IQ_carriers?taxonomyId=17

 

Researchers Identify Serious Capability Leaks in Many Android Phones

From http://threatpost.com/en_us/blogs/r...s-capability-leaks-many-android-phones-120211:

 

Carrier IQ, HTC, Samsung hit with class-action lawsuits
Carrier IQ's own marketing claims undercut its defense
How to turn off Carrier IQ on your iPhone

 

Android Carrier IQ Detector Now Available

• Disclaimer: •
I do not own an Android phone, I have not tested this software.

 

Re: Researchers Identify Serious Capability Leaks in Many Android Phones

On the Android market is an application called "Permissions" and, by the same author, "Fix Permissions" for use if needed when an application won't run because of the change. "Permissions" requires root access.
The purpose of this app is to be able to disable all those unneeded rights by the vendor installed stuff or downloaded from the market. Many of those apps need so much permission that Windows suddenly looks so safe