Attention All Smartphone Users

[ipodwinner31]

http://www.pcworld.com/article/245229/carrier_iq_rootkit_reportedly_logs_everything_on_millions_of_phones_updated.html

Carrier IQ Rootkit Reportedly Logs Everything On Millions Of Phones

If you use an Android, BlackBerry, or Nokiasmartphonethen you may be at risk of being illegally wire-tapped by Carrier IQ--a provider of performance monitoring software for smartphones--according to reports.

Earlier this month, security researcher Trevor Eckhart announced that he found software made by Carrier IQ that may be logging your every move on your mobile phone. Trevor referred to it as a "rootkit", a piece of software that hides itself while utilizing privileged access like watching your every move. Carrier IQ didn't take too kindly to this accusation, and responded aggressively with a cease-and-desist letter, and went on to deny this accusation. However, to further back his accusation, Eckhart released a video that he says shows the software in action.

In the video, Eckhart navigates to a list of running applications on his phone, and he found that the application IQRD--made by Carrier IQ--was not shown. However, when he searched all of the applications on the device, Eckhart discovered that IQRD showed up with the option to force stop it; therefore, he determined that the app must have been running. However, when he tried to stop the application, the force stop function did absolutely nothing. Additionally, this application always runs when the device is started, according to his research.

After connecting his HTC device to hiscomputer,Trevorfound thatIQRDissecretly logging every single button that he taps on the phone--even on the touchscreen number pad. IQRD is also shown to be logging text messages.

In the video, Eckhart shows that Carrier IQ is also logging Web searches. While this doesn't sound all that bad by itself, it suggeststhatCarrier IQ is logging what happens during an HTTPS connection which is supposed to be encrypted information. Additionally, it can do this over a Wi-Fi connection with no 3G, so even if your phone serviceisdisconnected,IQRDstilllogstheinformation.

Wired goes on to say that the application "cannot be turned off without rooting the phone and replacing the operating system."

While Eckhart tested his accusation on an HTC device it is likely that Carrier IQ is logging information on millions of more devices.According to Carrier IQ (pdf)"Carrier IQ’s Mobile Intelligenceplatform is currently deployed with more than 150 million devices worldwide."

While Carrier IQ has since backed off and apologized for its aggressive legal action against Eckhart, this isn't the end of the
 story for Carrier IQ. Paul Ohm, a former Justice Department
prosecutor and professor at the University of Colorado Law School, told Forbes that this isn't just creepy, but it's also likely grounds for a class action lawsuit, citing a federal wiretapping law.

Make sure to check out the video below to see what Trevor discovered.

 http://www.youtube.com/watch?nomobile=1&v=legx3K_Ul_I

]

Saw this on another forum........thoughts?

Edit: you Iphone users arent safe either. Safer, but not totally safe.

 http://gizmodo.com/5864107/yes-your-iphone-is-tracking-you-with-carrieriq-too

All hellbrokeloose yesterday when it was discoveredthatmost Android phones (and BlackBerries, and others) are recording every keystroke you make. Now, references to the same software have been discovered in Apple'siOS. But in this case, it only logs technical data and it's off by default. Last night, prominent iOS hacker chpwn tweeted that he had found reference to the same, now notorious Carrier IQ software in iOS 3. After just a little more poking and prodding, it was confirmed that these references exist all the way up to modern day iOS 5, they're just under a different name: /usr/bin/awd_ice2. But wait, beforeeveryone starts returning their iPhones (none of you were going to do that anyway), there's a bit of good news.

It seems that the data Carrier IQ has access to is much more limited than it is on Android. From chpwn's blog: "...it does not appear the daemon has any access or communication with the UI layer, where text entry is done." That is extremely good news if it proves to be true, because it would mean that iOS wouldn't be logging your passwords, emails, SMS messages, etc. Even more good news: CarrierIQ only kicks in when the iPhone is in Diagnostic Mode, which is off by default. So you'd have to actively tinker with settings you never use for it to work.

When activated,though, CarrierIQ does appear to log your name, phone number, carrier information, some info about the calls you are making, and your location (if Location Services are enabled). There may well be more, they just haven't found it yet. We'll update as we learn more.[chpwn viaThe Verge viaTheNextWeb]

[RedRoof2]

Yep.  Saw this article.  Not like I'm watching child porn or anything, but this still pisses me off.  I access my accounts through my phone.  If they're logging data and keystrokes, it'd really SUCK if someone hacked into their database and stole all that info.  Just like someone did to Hannaford a few years back.

[LarenF3D5]

I'm insured against identity theft. /shrug

[skyphix]

CYANOGENMOD.

[madlife]

I'm insured against identity theft. /shrug

I always wondered how insurance works against identity theft.   I can see if someone steals your passwords and wipes your bank accounts out, but what would they do if you one day went to get a loan and pull a credit score of 145?   

Thank god my blackberry is so old that it cant even open my bank's website.

[ed]

CYANOGENMOD.

Seriously.

Overblown anyway. None of my phones have this issue.

[TheBigChill]

CYANOGENMOD.

 ^ For the phones that are easily rooted.  My Hero was stupid easy to root.  My Legend, not so much.


 So if this is on my phone, I should be able to find it in the "system/app" folder, if IQRD is in fact installed ?

[skyphix]

http://www.extremetech.com/computing/107427-carrier-iq-which-phones-are-infected-and-how-to-remove-it

EDIT: Also, didn't realize that revolutionary didn't support the Legend. That kind of sucks. I am exceedingly happy with my Thunderbolt and Cyanogenmod running at 1.4Ghz.

[Kavik]

 This sucks......but, if we can't trust the official software that comes on our phones, how are we supposed to know that the aftermarket OS's don't have something similar with, perhaps, more sinister intent?
 There was a pretty big issue a year or so ago when one of the bigger developers (I wanna say it was the Liberty OS) proved that he could do a lot of freaky shit with your phone, then accidentally put out that code in one of the nightly updates.

 And how many people don't even look at the permissions (or look, but don't understand what they're saying okay to) on some of these free apps we download?  Free financial planners, password storage tools, etc....who's to say that any program that allows writing to the sd card "for backing up the software settings" or "for saved game data" and full internet access "for embedding advertisements" isn't really a keylogger uploading to an online server?


*sighs* time to go build another layer into my foil hat 

[skyphix]

And thats why you don't overlook app permissions.

As far as trusting the 3rd party developers, larger ones (like CM/etc.) Have a large enough community to cross-check whats actually going on. The beauty of open source software.

Also, you could always roll your own from the source. I mean, that is sort of the point of the AOSP.

[RedRoof2]

I've got a feeling they'll be answering to congress on this one.  It's going to get nasty, fast.

I'll be following directions on removing it this evening when i'm home.

[Kavik]

And thats why you don't overlook app permissions.

As far as trusting the 3rd party developers, larger ones (like CM/etc.) Have a large enough community to cross-check whats actually going on. The beauty of open source software.

Also, you could always roll your own from the source. I mean, that is sort of the point of the AOSP.

honestly though, people overlook them all the time

For example:

Angry Birds - 50 million + downloads
Permissions:
Modify/delete SD card content
Read phone state and identity
Full Internet Access
Coarse (network based) location

Words With Friends - 10 million + downloads
Same as above, but instead of Coarse Location, this one has access to read all your contact data instead


And that's just for a couple, retardedly popular, free games.  You want real scary potential, go look at GO SMS Pro.  I use it for my text messaging program, and all those permissions do have valid functions within the program....but my God, it's scary to think the things they could do with what they have access to

[TheBigChill]

 Great.  So I can't even check to see if this piece of crap is on my phone.  Rooting the Legend is a PITA.  I had to be different, and buy a Canadian phone.  Sheesh

[spoolordie]

My minutes are unlimted, never have to charge it, cant send SMS but hey my Verizon/beeferoni's  plan is free

[RedRoof2]

My minutes are unlimted, never have to charge it, cant send SMS but hey my Verizon/beeferoni's  plan is free

No n00d p1cz either.  sux.

[Kavik]

he probably has a playboy cutout taped on the inside bottom 

[spoolordie]

damn I've been compromised   

[ipodwinner31]

So apparently the HTC incredible doesn't have it....my cousin is a computer security grad and him and his friend checked it out. Glad I have an incredible

[hydrochloric]

Glad I have an LG... uh....  Is crap-box-shit-piece an LG model?   It's an enV Touch, so at best it's a stupid-phone, if not a troglodyte-phone.  Besides, the browser is so shit anyway, I barely use it.

I'm sort of happy I have an iPod Touch now.

[ipodwinner31]

Haha I used to have the env touch....not a bad phone, just kinda......outdated...

[LarenF3D5]

While I'm aware that this also effects iOS devices to a point is it wrong for me to say I'm glad my apps require an approval process and Apple has a vested interest in keeping my info in their own grubby hands?

I know its not necessarily a better situation, but with a review process of sorts I feel somewhat better about what's on my phone.

[skyphix]

TBC: http://lifehacker.com/5864467/check-if-your-android-phone-has-carrier-iq-with-voodoo-carrier-iq-detector-no-rooting-required

[hydrochloric]

Haha I used to have the env touch....not a bad phone, just kinda......outdated...

Did you keep yours in your pocket?  If you did, I can't figure out how you didn't hate it.  I figured, being a touchscreen, it would be like my iPod, not activate anything in my pocket.  What I found out is the touchscreen on the enV can be activated by anything, and the side button unlocks it way too easily.  I have butt-dialed, butt-texted, butt-bought-an-"app", and even butt-took-a-picture.

That and it turns itself off all the time.  Verizon store tech said it was a battery issue and "he would send out a new one."  That was the beginning of the summer.  Still no battery.

[ed]

honestly though, people overlook them all the time

For example:

Angry Birds - 50 million + downloads
Permissions:
Modify/delete SD card content
Read phone state and identity
Full Internet Access
Coarse (network based) location

Words With Friends - 10 million + downloads
Same as above, but instead of Coarse Location, this one has access to read all your contact data instead


And that's just for a couple, retardedly popular, free games.  You want real scary potential, go look at GO SMS Pro.  I use it for my text messaging program, and all those permissions do have valid functions within the program....but my God, it's scary to think the things they could do with what they have access to

WWF reads contact data because it uses it to find friends that you can play with.

Btw, CM never had and never will have CIQ. Only the stock OTA releases from carriers have been caught with it. Honestly, I never run stock OTA because it's garbage so I can't say I'm too worried. And to think people always wonder wtf I'm messing with my phone so much and telling folks to root their shit. Shrug.

[Malachoz]

Ed. I love you. /thread

I'll be googling how to root my Evo 3D later.