Video of carrierIQ in action

[styrafoam]

If you don't know the backstory on this read the article

http://www.geek.com/articles/mobile...ponds-to-carrieriq-with-video-proof-20111129/

It seems to record pretty much everything. Your text messages, even though carrierIQ insisted otherwise, are recorded. Passwords over https while surfing on wifi are recorded.

straight link to youtube video without the article:

http://www.youtube.com/watch?v=T17XQI_AYNo

 

[alent1234]

even what porn you surf in the anonymous browser

 

[Red Storm]

So is this carrierIQ company only associated with HTC?

 

[alent1234]

nope, just android in general

 

[podspi]

I am going to assume those of us running a custom ROM are "safe"?


Motorola really needs to unlock those bootloaders... my OG Droid needs to be retired!

 

[dguy6789]

nope, just android in general

Don't post about things that you are uninformed about. This doesn't come with Android and isn't on all Android devices. There are very specific manufacturers that use this.

 

[abaez]

According to another article, the software is also on nokia and blackberry phones.

 

[AstroManLuca]

I am going to assume those of us running a custom ROM are "safe"?

Motorola really needs to unlock those bootloaders... my OG Droid needs to be retired!

If you installed your custom ROM recently, you should be. I know that with my phone, the ROM chefs didn't figure out how to disable CIQ immediately, so some early ROMs still have it. All the popular ones released in the past 8 or so months have it removed though. The only recent ROMs that might still have it are stock ROMs, but even then most "stock" ROMs only LOOK stock and have a number of under-the-hood tweaks such as disabling CIQ.

And agreed on the locked bootloaders. I don't know why anyone does it. It's not like ROM hackers represent an extremely large percentage of smartphone users, and installing a custom ROM has never done any damage to a phone maker. Even phones and tablets with locked bootloaders have root exploits and people install new launchers and delete existing software pretty regularly, so it doesn't prevent anyone from removing bloatware if that's what they're trying to do. And it probably makes things worse from a service standpoint since in most cases, the harder a phone is to hack, the easier it is to brick.

 

[WelshBloke]

According to another article, the software is also on nokia and blackberry phones.

I'd be quite happy to bet that all stock phones from all manufacturers do this to some extent regardless of OS.

 

[s44]

I'd be quite happy to bet that all stock phones from all manufacturers do this to some extent regardless of OS.

Nope. Evil US carriers. The Rogers firmware for the SGS2 LTE (Skyrocket) has no Carrier IQ, while the hardware-identical AT&T one does.

And, as an editorial I read this morning points out: Nexus.

 

[WelshBloke]

Nope. Evil US carriers. The Rogers firmware for the SGS2 LTE (Skyrocket) has no Carrier IQ, while the hardware-identical AT&T one does.

And, as an editorial I read this morning points out: Nexus.

Just because a phone doesn't have carrier IQ doesn't mean it wont be doing something similar.

 

[randomlinh]

Is it actually recording or just monitoring?

Everyone has been saying "logging" but this is him turning on debug mode, no? Not to say that makes it any better, but it's an important distinction for now, I feel.

 

[shabby]

I am going to assume those of us running a custom ROM are "safe"?

Majority of rom "developers" are dubbed winzip developers, they take a stock rom, add/remove some apps, add a kernel/modem/theme they like and zip it up and release it. So no, a custom rom is not safe unless ciq is specifically ripped out, and only a handful of developers are capable of doing this.

Just because a phone doesn't have carrier IQ doesn't mean it wont be doing something similar.

Great scott! Using that logic my calculator could be logging my additions and subtractions!

Is it actually recording or just monitoring?
Everyone has been saying "logging" but this is him turning on debug mode, no? Not to say that makes it any better, but it's an important distinction for now, I feel.

The "submit" and "pushtociq" "smstociq" words from the logs almost suggest that these are being sent. Debug mode simply gives you the ability to query and send commands to the phone.

 

[sciwizam]

Looks like iOS also has it..

Carrier IQ references discovered in Apple's iOS

Check @chpwn for more info

https://twitter.com/#!/chpwn

 

[kyrax12]

what is the point of CarrierIQ?

Why is it in smartphones?

 

[podspi]

Majority of rom "developers" are dubbed winzip developers, they take a stock rom, add/remove some apps, add a kernel/modem/theme they like and zip it up and release it. So no, a custom rom is not safe unless ciq is specifically ripped out, and only a handful of developers are capable of doing this..

I'm using ChevyNo1's Simply Stunning. If anybody could do it, it would be him .

Although I don't think he did, SS is based off of CyanogenMod, which is built from source. So yay.

Has anybody found any references to CIQ in any privacy agreements? I never saw any myself. This could turn into a class-action lawsuit if this news picks up steam.

 

[alent1234]

what is the point of CarrierIQ?

Why is it in smartphones?

supposed to be used for diagnostics, but it looks like the carriers are taking it too far

ideally it's supposed to collect a minimum set of data for carriers to get data about issues in their networks, usage and bugs to keep developing the OS, etc

 

[MrX8503]

Looks like iOS also has it..

Carrier IQ references discovered in Apple's iOS

Check @chpwn for more info

https://twitter.com/#!/chpwn

iOS has it, but its not as bad as Android. On iOS it only works when its in diagnostic mode and its disabled by default.

"It’s present on nearly all Android devices, but not Galaxy Nexus, Google Nexus One, Nexus S, or the Motorola Xoom. It’s also present on iOS devices, but it seems to be active only when the device is in diagnostic mode." -Mashable

When Apple caught flak for the geo tracking Steve said that Android does too, I guess it was true.

 

[alent1234]

and on iOS you can disable sending the data. it also shows you exactly what it collects

 

[adamantinepiggy]

Outside of privacy issues, the problem with this root level key logging software is that, although the chances are that carrierIQ might never intends to take advantage of any personal or secure info (like logins and passwords) that is transmitted, unscrupulous crminals can simply hack the paths and/or points to which the data is sent instead of having to directly hack your phone. Why bother hacking the phone since a "legit" company has already provided that part for the bad guys. As was shown in the video, supposedly "secure" https information was logged before it was even encrypted.

All the bad guys need to do is find a way to intercept the data points or data aggregation for the entire wealth of logins to banks, etc, and a bajillion or nice things like blackmailable texts, numbers called, etc, etc. Basically everything you do through your phone since it's logging everything for nefarious reasons (rather than simple dumb corporate advertising/sales reasons).

If I was a nefarious hacker, I would be giggling with joy at a new single source of getting all that info, rather than having to trick you or hack your phone. And the worst part is that you'd never know it or even have a chance to prevent it since the majority of customers are clueless that their phones is logging every damn thing they do and sending it to a third party..

 

[adamantinepiggy]

Oops double posted sorry! Can't figure out how to delete it..

Outside of privacy issues, the problem with this root level key logging software is that, although the chances are that carrierIQ might never intends to take advantage of any personal or secure info (like logins and passwords) that is transmitted, unscrupulous crminals can simply hack the paths and/or points to which the data is sent instead of having to directly hack your phone. Why bother hacking the phone since a "legit" company has already provided that part for the bad guys. As was shown in the video, supposedly "secure" https information was logged before it was even encrypted.

All the bad guys need to do is find a way to intercept the data points or data aggregation for the entire wealth of logins to banks, etc, and a bajillion or nice things like blackmailable texts, numbers called, etc, etc. Basically everything you do through your phone since it's logging everything for nefarious reasons (rather than dumb corporate advertising/sales reasons).

If I was a nefarious hacker, I would be giggling with joy at a new single source of getting all that info, rather than having to trick you or hack your phone. And the worst part is that you'd never know it or even have a chance to prevent it since the majority of customers are clueless that their phones is logging every damn thing they do and sending it to a third party..

 

[AstroManLuca]

Majority of rom "developers" are dubbed winzip developers, they take a stock rom, add/remove some apps, add a kernel/modem/theme they like and zip it up and release it. So no, a custom rom is not safe unless ciq is specifically ripped out, and only a handful of developers are capable of doing this.

Then again, a lot of them also base their roms on other custom roms, which may have CIQ removed.

But you're right, to be safe you have to make sure you read everything the developer writes about the rom and if he doesn't mention that CIQ is removed, assume that it isn't.

 

[s44]

Removing CIQ isn't that hard.

 

[adamantinepiggy]

Removing CIQ isn't that hard.

Neither is ROM replacement, however the average person is not even aware that this key logging type stuff is going on, much less are worrying about fixing it.

 

[cheezy321]

Looks like iOS also has it..

Carrier IQ references discovered in Apple's iOS

Check @chpwn for more info

https://twitter.com/#!/chpwn

iOS hasnt used it since iOS 5 and apple says that keylogging, messages and passwords were never recorded, unlike android products.

http://techcrunch.com/2011/12/01/apple-we-dont-use-carrier-iq-in-most-of-our-products-anymore/