Developer claims phone software spies on millions

!

I don't know alot about Android handsets but capturing HTTPS traffic is pretty bad. Does this software need embedding by the manufacture or could any installed software do this?

If so its a pretty massive security problem for the whole platform.

By JStairmand on 30 Nov 2011

rootkit

It would seem Carrier IQ is essentially a rootkit installed by the manufacture / carrier. Carrier IQ have posted an explanation (which might be wrong if Eckhart's results are accurate) on their website at http://www.carrieriq.com/Media_Alert_User_Experien
ce_Matters_11_16_11.pdf

By milliganp on 30 Nov 2011

!

I don't know alot about Android handsets but capturing HTTPS traffic is pretty bad. Does this software need embedding by the manufacture or could any installed software do this?

If so its a pretty massive security problem for the whole platform.

By JStairmand on 30 Nov 2011

Not only android

"he stressed the software ran on Nokia and Blackberry handsets too!"

this has nothing to do with android it self!

"Carrier IQ itself claims to be installed on more than 140 miilion handsets after being embedded by device manufacturers"
It should be the manufacturers that we should be worried about!

By sandman652001 on 30 Nov 2011

If this is true it is extremely worrying. How could such a massive invasion of privacy be legal? Would also be a huge blow to blackberry security reputation.

By JamesD29 on 30 Nov 2011

Storm in a teacup?

He shows the CIQ software is there and running.
He shows all the keystrokes are captured by USB Debugging.
He does not show any relationship between CIQ and USB Debugging.
I'm no expert, but 'USB Debugging' sounds like it is a tool for debugging over USB. I would assume it captures and records all events for the purpose of debugging.
There is no "packet sniffing" going on here.
Now, if he were to switch Debugging OFF, and actually capture all this same stuff over the air using "packet sniffing software", that would be different. But he hasn't. All he shows is that USB debugging works as expected.

By martindaler on 1 Dec 2011

Not on my htc

I'm running an unbranded Sensation and the software he is talking about in the video isn't present.

Is this only applicable to carrier branded phones?

By big_D on 1 Dec 2011

@martindaler

I've just finished watching the whole video and I have to agree with you, he does not show any packet sniffing.

He show USB debug mode, so it isn't surprising that the https request is being shown in the clear, as this is the browser outputting debug information to the USB port, this is NOT what is being sent out over the air! In the first part of the video, he is using Airplane mode and it is still showing the debug information, so it has nothing to do with packet sniffing!

I agree with your comment about turning off USB debugging and turning on packet sniffing.

It would be interesting to see what then happens, whether this information ever leaves the phone, or not.

As I said in my previous comment, the software isn't even installed on my device.

This is the second security scare using htc devices as the example and this is the second time that I've found that my htc Sensation doesn't have the noted software installed.

I'm sorry to say, that this is very poor reporting on PC Pros part.

To call USB Debugging "packet sniffing" is horse hockey and the information in the video isn't showing us anything useful.

A little more research next time, before putting up such scare stories, please.

By big_D on 1 Dec 2011

Also on iPhone?

http://www.theregister.co.uk/2011/12/01/ios_has_ca
rrier_iq_client/

Reports say the software is also to be found on iPhones...

What next? Windows Phone as well?

By big_D on 1 Dec 2011

...but then again

CIQ is pretty much damned by its own website:
http://www.carrieriq.com/overview/IQInsightService
Analyzer/index.htm

they even show a sample data capture, mapped to show location, together with call start and end times "measured at the point of delivery – in the mobile phone – to provide an unparalleled level of quantitative information".

OK, so no record of the number dialled, but do I need anybody other than my carrier to know where, when and for how long I made calls on my individual device?

By martindaler on 1 Dec 2011

... and they carry on

"IQ Insight gives you more than just data – it provides the monitoring and drill-down capabilities to move seamlessly from analysis of a group of devices containing as many as several million active users, through to detailed inspection of data from specific devices and events of interest. The ability to switch effortlessly from the "telescope" view of a population of a large number of users right down to "microscope" analysis of individual devices and events is a unique capability of IQ Insight."

http://www.carrieriq.com/overview/IQInsightDatacar
dAnalyzer/index.htm

By martindaler on 1 Dec 2011

At least...

it is US only (at the moment).

The data only goes to CIQ and the carriers - when it works "right"... :-S

By big_D on 1 Dec 2011

More information

I've found more information on this, along with quotes from manufacturers and network carriers, over at engadget.
www.engadget.com/2011/12/01/carrier-iq-what-it-is-
what-it-isnt-and-what-you-need-to/

By mviracca on 1 Dec 2011