SKORPI0
Lifer
- Jan 18, 2000
- 18,431
- 2,357
- 136
Something interesting to read....
Android Security Test
Android Security Test
As mentioned before, Carrier IQ is rootkit software. It listens on the phones for commands contained in tasking profiles sent a number of ways and returns whatever metric was asked for.
Profile transmission can occur in a variety of ways, including pushing the data collection profile to the target device, sending a message, such as an SMS, to the target device prompting it to retrieve the data collection profile, and preparing the data collection profile for download the next time the target device contacts SQP 201 such as when it uploads a metrics package. Such profile transmission to the SQC 402 residing on the target device(s) may be achieved using any of a variety of transport mechanisms and standards including Short Message Service (SMS), Hypertext Transport Protocol (HTTP), Hypertext Transport Protocol Secure (HTTPS), Wireless Application Protocol (WAP) Push, IP-based Over-the-Air (IOTA) protocol, OMA/DM, or other protocols that are known in the art or that may be developed in the future. From (http://www.patents.com/us-7609650.html)
IQ Insight Experience Manager uses data directly from the mobile device to give a
precise view of how the services and the applications are being used, even if the
phone is not communicating with the network. (From http://www.carrieriq.com/company/PR.Experience_Manager.CTIA-09.090325.pdf )
See the below process flow
So theres a remote portal?From training documents found we get an insight to the Carrier IQ Portal. Devices are displayed to the portal operator by individual phone Equipment ID and Subscriber IDs. The portal administrator can put devices into categories and see devices in California that have dropped calls at 5pm.
The down side to all of this is the portal administrator is also able to task a single phone with a profile containing any combinations of metric and trigger. From leaked training documents we can see that portal operators can view and task metrics by equipment ID, subscriber ID, and more. So instead of seeing dropped calls in California, they now know Joe Anyones location at any given time, what he is running on his device, keys being pressed, applications being used.
Why do you keep calling CarrierIQ a rootkit?
The definition of rootkit from wikipedia is exactly what CarrierIQ is.
A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications. The term rootkit is a concatenation of root (the traditional name of the privileged account on Unix operating systems) and the word kit (which refers to the software components that implement the tool)
CarrierIQ as seen in real world usage (HTC Devices especially) is nothing like the stock copies shown on the first page. All menus have been stripped, hiding it from users presence without advanced knowledge. The service also runs as user Root in ramdisk. It checks in to a server (or receives commands through other various access) with commands to allow someone undetected access.
Who is using this data?
Verizon has publicly came forward with a statement regarding their usage on Carrier IQ statistics and give users a way to stop them from selling the information outside of Verizon
https://email.vzwshop.com/servlet/website/ResponseForm?OSPECC_9_0_9hg_eLnHs_uhmpJLE
Verizon Wireless will use the following categories of information:
Mobile Usage Information:
Consumer Information:
- Addresses of websites you visit when using our wireless service. These data strings (or URLs) may include search terms you have used
- Location of your device (Location Information)
- App and device feature usage
Sprint is known to collect carrier IQ data because users have the application running reporting to them, but have no privacy policy, retention policy, or public information on what they use the data for.
- Information about your use of Verizon products and services (such as data and calling features, device type, and amount of use)
- Demographic and interest categories provided to us by other companies, such as gender, age range, sports fan, frequent diner, or pet owner (Demographics)
Do we have to Opt-In to this collection? Can it be stopped?
Devices are automatically entered into using Carrier IQ. Samsung android devices have an on off switch, but it is not easily accessible or made known to users that its even there. HTC android devices have no such off switch. Even if you purchase a phone on eBay completely off of sprint, use it on wifi only, Sprint will still be enabled to task your device with metrics because of no available off switch and Carrier IQs aggressive reporting nature across multiple protocols.
It also should be noted all the surveys and user facing dialogs have been stripped besides the below screenshots which require advanced skills to access.
Samsung screenshots thanks to k0nane on XDA See the full post where he removed carrier IQ here
Detection / Removal:
There are a few advanced methods that can be used to detect Carrier IQ. Logging Test App scanner will detect it in the kernel (use Check Props Feature), as well files used in the regular Loggers scan. This will detect Carrier IQ regardless if you are rooted or not. You can also use this app to bring out hidden menus for known versions of CIQ clients.
The only way to remove Carrier IQ is with advanced skills. If you choose to void your warranty and unlock your bootloader you can (mostly) remove Carrier IQ. Logging Test App can identify files used in logging and you can manually patch or use Pro version to automatically remove.