The Bishop and the Butterfly: Murder, Politics, and the End of the Jazz Age

    Irresponsible speculation in Carrier IQ "spyware" case.

    Last Wednesday, I highlighted recent hubub around a piece of mobile phone metrics collection "spyware" called Carrier IQ. Since then, there have been some significant happenings. Largely because, after the EFF's involvement and Carrier IQ's decision to cease legal threats, researcher Trevor Eckhart provided more explicit documentation [note: the site has been crashing occasionally due to extraordinarily heavy traffic] of how the Carrier IQ software has been implemented on his HTC Evo 3d (Sprint). With Video.

    What the software appears to be doing in this case looks pretty bad. And it is, no doubt.

    Between the Conde Nast highlight last week, Carrier IQ retracting the legal threats with a 4:35 Thanksgiving-eve news-dump (brilliant PR that, BTW), followed by this video/analysis ...  if this were politics (and, actually, it is) we would say this has grown some legs. And as things with legs do, the story has already run off the rails somewhat. A prime example is an article by Andy Greenberg in Forbes which, despite serious questions raised by the situation, dips into being irresponsible.

    A piece of keystroke-sniffing software called Carrier IQ has been embedded so deeply in millions of Nokia, Android, and RIM devices that it’s tough to spot and nearly impossible to remove [..] Paul Ohm, a former Justice Department prosecutor and law professor at the University of Colorado Law School. He thinks it’s also likely grounds for a class action lawsuit based on a federal wiretapping law.

    “If CarrierIQ has gotten the handset manufactures to install secret software that records keystrokes intended for text messaging and the Internet and are sending some of that information back somewhere, this is very likely a federal wiretap.”

    [...] Carrier IQ captures every keystroke on a device as well as location and other data, and potentially makes that data available to Carrier IQ’s customers. The video he’s created shows every keystroke being sent to the highly-obscured application on the phone before a call, text message, or Internet data packet is ever communicated beyond the phone.

    A few things are simply wrong about this article. The wrongness boils down to two general issues: one of likely blame and one of ensuring accurate allegations based on facts in evidence. Based on the information we have it seems the characterization of the software relies on several mistaken premises and could very well be leveling unwarranted charges at CarrierIQ for actions taken and customizations by clients which were completely beyond the company's control. Fundamentally, Greenberg misses what appears to be the nature of the Carrier IQ software/API and also seems unclear on the way Android works. As such, Paul Ohm is not really being given information that is accurate or complete enough to make a very informed analysis.

    What Carrier IQ appears to sell is a framework/codebase/API and a suite of utilities for collecting and processing related data. The training materials showed three distinct aspects to the system: (1) app on the device, (2) server that collects data, and (3) "portal" software to interact with the server for reporting and analysis. This is not an application as the typical consumer purchases it. The "stock" Carrier IQ software (described in the last post) is almost certainly provided to the device creators along with source code. Typically, developers use this sort of example code as a demonstration how the major aspects of the API can be implemented; a starting point used to create a custom-tailored implementation for any device. It would be expected to interact correctly with the other two pieces of the system to allow a smooth demonstration of basic capabilities. The fact that there is no known commercial device using the "stock" implementation supports this assessment.

    It is almost certain implementation at the device level is developed and customized by the carrier/hardware developer - with features created/activated based on their unique needs by their in-house development team. In the case of the Evo 3D used for the video, this means that HTC, Sprint or both had an opportunity to make significant changes to the Carrier IQ codebase as it is implemented in the device. It is also known that the "portal" software is implemented by the carrier/device manufacturer and appears to simply display and sort records in the compliant format. Data collection appears to be largely or exclusively under the control of the end client as well; superficially, hosting a database which could reside anywhere would seem to be a neutral platform service if provided by Carrier IQ.

    I can think of PLENTY of ways Carrier IQ could be in it up to their eyeballs. But it is important to point out, there isn't evidence for any of them yet. Based on the facts thus far known,  In the even that something about Evo's implementation turns out illegal, Carrier IQ is probably positioned as least likely to be responsible. The way this article presents things, it sounds like Carrier IQ somehow tricked hapless carriers and manufacturers into installing spyware on their customer's phones. It seems clear that *if* an implementation behaves as spyware, the device maker defined it's behavior.

    A hammer is an undisputed tool until someone bashes a head in with it. I'm not willing to immediately condemn the hammer maker (speaking as a toolmaker myself).

    Beyond accusing the potentially wrong party, the technical description of what is being shown in the video is not exactly right. The "captured" information shown in the video is what I call console spam - text that devs put in to track various aspects of their software - that gets spit out on a debugging screen called "the console" as the app is running. When the phone has a bunch of stuff running any of them can be printing to the console at the same time.

    Just because something doesn't pop up there doesn't mean that an app somewhere did not see an event (intent) and respond to it. In fact, most other Carrier IQ implementations seem to avoid console output. Similarly, seeing a report in the console of an event triggering an app doesn't necessarily provide specific insight what was done when the trigger was received. The listener might store information, it might start recording from the voice stream, transmit stored information to a server,  increment a counter or simply do nothing. That is showing what the system *can* respond to.

    In Android, the limit on what an app *can* do is defined by it's security permissions. And in this respect, regardless if it reports what is done to the console, the application can literally access, record or manipulate every significant aspect of the cell phone ... and if it wants to, quietly implement a routine that responds to any phone event. Technically, several packages that are a part of a device's core have equal access to the deepest levels of the phone. It is the storage and reporting aspects of this that make it troubling, not necessarily that a piece of software created and installed by the device manufacturer is root-level integrated into the OS.

    While many people will be caught up on the demonstration showing how the software could access a text message's body, the most concerning thing shown was the demonstration of how it captures web requests. The video did NOT show something happening "before every data packet is sent to the internet" (wrong on so many levels). What it showed was information that is supposed to be immediately encrypted (by webkit?) instead echoed in plaintext to the console. Inside the phone, the "console" is stored in a file called "logcat". This means that even if the information being passed between executing apps was ignored or only kept in a temporary memory variable for some purpose, a plain-text record of the information is stored on the phone in a low-security file ... which appears to finds a consistent exit route from the phone through Google's own voracious private information hoovering ways.

    Google Checkin is the service responsible for “checking in” to google with data in /data/system/dropbox. Crash dumps, lastkmesg, dmesg, full logcat dumps are in here. On google checkin (open up market, sync gmail, login to a google service) this data is synced.

    As such, we have to assume that anyone using the Evo 3d (at least) who has accessed an https service that utilizes sensitive plaintext requests under the expectation data would be encrypted now likely have that sensitive information stored on Google's server somewhere if indeed Google is archiving logcats.

    This really does kind of look like a mess. My bet is whoever controls the CarrierIQ portal for those phones (Sprint, I'm looking at you) will deploy a whole new metrics package to these devices in the next few days. A less bouncy one ... or at least one that doesn't report what it's doing to the console.

    There are a million solid and important questions that need to be raised here. And there very well could be cause for a lawsuit or three before all is said and done. But let's figure out what exactly has happened and who did it ... then level informed accusations at the correct party.

    [originally posted at kgblogz ... edited slightly for context.]

    Comments

    Thanks for the update, kgb. It's nice to know what this is as well as what it isn't.


    If I were guessing how this will all shake out, I think where the most serious questions need to be pointed would be in the direction of Sprint ... and carriers in general.

    As for Evo users; they have an additional problem. Regardless what HTC/Sprint/Carrier IQ have decided to collect; some dumb-ass developer put a program on their cell phones that is dumping a ton of sensitive data into a plain-text logfile ... a logfile that is apparently being downloaded routinely by Google. The file potentially holds personal data the device user had reasonable expectation was completely encrypted - certainly seems beyond any debate that the user intended to keep it private and would not agree to allow Google to hold such information.

    The implications of that are actually pretty huge. It really needs to get cleaned up. Which means Google needs to verify if they've potentially collected this data. And they also need explain how they are ensuring it is entirely removed from their databases and archives.



    And this:

    Assange warns of phone monitoring

    WikiLeaks founder Julian Assange has told smartphone and email users "You're all screwed", as he unveiled his latest publications.

    The whistle-blowing website has released details of companies it says are selling information obtained by monitoring people's mobile phones and computers.

    According to Mr Assange, more than 150 organisations around the world have the ability to use phones as tracking devices as well as intercept messages and listen to calls. Those companies then sell the wholesale information, often the telecommunications data of "entire populations".>

    He told a press conference at City University in London that the publication of the "Spy Files" is a "mass attack on this mass surveillance industry".

    The 40-year-old asked the audience of students and press: "Who here has an iPhone? Who here has a BlackBerry? Who here uses Gmail? Well, you're all screwed.

    "The reality is, intelligence contractors are selling right now to countries across the world mass surveillance systems for all those products."

    Mr Assange said this interception, although lawful, is leading towards a "totalitarian surveillance state".

    Spy Files


    Yeah. It is a total disaster at the moment. And each platform has it's own messed up way of being terrible on this. For example ....

    http://arstechnica.com/tech-policy/news/2011/11/researchers-find-big-lea...

    I rooted my phone and installed a custom OS quite some time ago ... feel a lot more secure as a result. The ability to do this is one of my hardware requirements now when shopping for a new device.

    Haven't gotten a chance to browse the Wikileaks data yet; I'm still fiddling with this CarrierIQ thing.


    Agree - I just went back to MS DOS 2.0. No blue screens of death, make my calls using ATDT commands. So 1982.


    Actually heading that direction myself on some core stuff that I'd like to be sure is secure.

    Although, I'd be hesitant to try and use 2.0 for much. I like 6.2.2 .. it has a ton of capabilities but misses all that shit they added for Win95 in MSDOS 7.

    How are you handling today's larger hard drives?


    I just install the basic partition and 3 virtual ones - I think I get a whopping 2560K addressable disk space. Holds my phone book and everything.


    Yeah. That's the easiest way to go ... not ideal though. (but I'm able to address 2gb in 6.22 ... they added FAT32 in DOS 7)

    If you haven't played with the Arachne DOS internet suite yet ... check it out.

    http://www.glennmcc.org/

     


    Not exactly apropos to the security discussion, but when my Motorola Razr died about a year ago, I was given a used Android-based devince...and it was an awful experience. It was as if its purpose as a phone was completely lost to whatever various actors contributed to its design, form, and function. For instance, I could not write to the SIM card to store my phone numbers. I was required by the device to write it all to a Google server.

    I just don't get, and probably never will understand, the allure of an OS (Linux or some other) on a phone. It seems to me that all that does is open people to what we see in this issue.

    So I dumped the Android-encumbered bugging device and picked up a $100 Samsung slide-thingy which works great as a phone.


    My guess is your problem was really the UI more than the OS. Depending on the model and carrier - they loaded some Android devices down with *obnoxious* shit.

    What kind of Samsung did you get? And why do you assume it doesn't have similar issues?


    It's called Smiley; it's a basic texting slide, with a few features tacked on: camera, browser, etcetera. It is some sort of proprietary platform; which seems to me to be more of a firmware rather than an OS. For instance: it does not mount the SD card; it prepares it for use.

    I am not sure if there is a real distinction between what is happening in an Android and a Smiley WRT the SD card. I do know that unix-workalikes always(?) mount drives.

    I can believe that the UI has improved; but so far, I don't see (for myself) a reason to have an OS (like Linux or some other) on a phone. As far as I know, I can do anything I need to do with what I hope is a phone version of MS-DOS. Which means that I don't know the Samsung has no similar issues; it's more that I think it's less likely (being dumber, I think) to be hijackable or rootable by some hostile entity.

    Now, if I could install an OS on a phone in the same way I put one on an i386 workalike; then maybe I'd see the light. But that would require the ability to swap out parts and use GNU software like I do in my mini-atx case. And I don't see that happening; but I could be wrong.

    WRT rootkits and other forms of snoopware (governmental, as well as corporate) at the i386 BIOS chip level, see also:

    http://www.fsf.org/campaigns/free-bios.html


    it does not mount the SD card; it prepares it for use.

    That is a difference without distinction ... stock Android says "Preparing ...." FWIW.

    It's not so much that the UI has "improved" ... it's just that damn near every carrier and manufacturer decided to make up their own obnoxious UI overlays. For a while there they were really getting pretty shitty. Seems to have mellowed out quite a lot recently.

    Your phone uses a proprietary OS. Developers write software for it in Java. Probably is less susceptible to external hacks ... still fully enables every aspect of the phone at the OS layer though.

    As for installing an OS on the phone ... the fuckers are just a little computer with a bunch of cool hardware all crammed in there. I'm not running stock Android, I'm currently running a custom-brew Android-based OS called Cyanogyn. There are a bunch of different Android flavors tweaked for various purposes (speed, security, etc.) and folks have installed everything from Ubuntu Linux to WindowsXP on their phones. You can even do it with the iPhones and newer Blackberries. Between bluetooth and USB, they are pretty dam expandable too.

    It really depends on what you want though. For me, I liked being able to do the computing stuff without having to carry a laptop (for instance, VNC on my phone is very helpful). Feature phones work great for a lot of people still ... and there seems to be a market for phone-like smartphones appearing too; so you probably aren't alone.

    As for the snoopware ... there are just so damn many now. The stuff they built into WindowsXP is brutal too.


    Thanks for the followup info; it's useful and informative.


    Getting back to the Carrier IQ issue, kgb, thanks for the technical insights and the link to Eckhart's reports. A lot of people, like CNET, are now backtracking on their initial alarm at Eckhart's revelations ("Nothing to see here, folks; move along.") But after reading them firsthand, I'm heading in the opposite direction.

    If all you're doing is monitoring network and equipment performance, why the need to bury the software so deeply, so invisibly, and deny the customer any way to disable it? And is the best way to "assess battery life" to install a program that runs all the time? Nonsense.

    Here's one summary of where we stand today:

    http://www.tomsguide.com/us/Carrier-IQ-AT-T-Android-iOS-webOS,news-13374.html

    Carrier IQ keeps keeps reassuring people that, while the software has access to everything that you do on your phone, it reports back only on what the individual carrier asks it to. And some security experts have tested sample phones and concluded it does not does log and transmit keystrokes.

    But a company VP adds that carriers can install the software "after market" via an update -- which could explain why it's been found on some Blackberries, when RIM says it doesn't install it or authorize anyone else to. Eckhart has already said the software can ID individual phones. So in theory couldn't the carrier update a particular subscriber's phone with a tweaked version? Say, one that reports back when he/she dials a particular number? Or punches in a specific URL?

    My own bit of "irresponsible speculation" is that the carriers are installing CIQ at the specific behest of the NSA, which has never given up the goal of Total Information Awareness, despite the fact Congress allegedly defunded it years ago. They keep arguing in court for access to "phone records" without warrants, and they keep getting shot down in court -- losing on appeal as recently as 10 or so days ago. 

    Privacy legislation has a loophole that lets phone companies monitor calls for quality control (exactly what CIQ purports to be addressing). The spooks have given the telcoms a green light to define the data they need as broadly as possible, so they can start mining it as soon as they get a favorable ruling. Or maybe they are doing it already, telling themselves that until the Supreme Court rules, it's a grey area.

    Like I said, irresponsible speculation. I just wanted to get it out there -- to plant the bug, so to speak.

     


    Carrier IQ's VP of marketing, Andrew Coward, told AllThingsD this week that "We don't read SMS messages. We see them come in. We see the phone numbers attached to them. But we are not storing, analyzing or otherwise processing the contents of those messages."

    But the point -- unless Coward has since retracted that statement as he has so many others -- is they could if they decided to. Ostensibly on the orders of big carriers (AT&T, Sprint and T-Mobile) they have surreptitiously designed and installed a security vulnerability that sounds easy for others to exploit.

    As for whether the government has a finger or two in all this, I'm keen to see whether the congressional investigation Franken has tentatively begun even goes there. If it does not, that in itself virtually answers the question.


    You've got this a bit wrong. Carrier IQ doesn't modify the software ... they sell a codebase that allows the manufacturer/carrier to customize the software to do anything they want it to.

    I am assuming Coward is speaking to the "stock" implementation when he describes what they see. If so, it is somewhat misleading to not add that every implementation is (or can be) different. To my knowledge there is not a "stock" version of Carrier IQ implemented on any consumer device.

    It is unclear if this is easy for others to exploit.

    I'm also interested in where the Franken investigation goes. I'm a bit concerned that it's frame was somewhat fatally flawed by adopting Eckhart's assertions about what was being demonstrated - which turned out to be a bit off-base. That would be unfortunate because the nature of QA software and it's interaction with private data is an important issue that needs airing. Hopefully we get to the stage where questions are actually asked at all.


    Some relevant stuff to this line of thought came up when I was discussing this with Obey over on kgblogz (how I perceive the dev cycle, way Android works a bit, etc.). I did a few detailed comments that you might find interesting.

    Here's one point (quoting me).

    During the later R&D phases, they take the phones out into the wild (that's how Gizmodo, et. al get pictures and the occasional misplaced prototype). During that phase I can see how it is amazingly useful to be able to report all sorts of shit back to the server ... kind of like the debugging console, but the devices are spitting out information the the server instead of apps spitting it out to the console. That could save a TON of time and money. Looking at it, they really do seem to have a pretty kick-butt product ... if used responsibly.

    Thing is, what makes sense in development is NOT NECESSARILY COOL in deployment.

    Everyone *has* to be doing something like this - at least in R&D - or they would never be able to get a device to market. Those not using systems with the name "CarrierIQ" are just falling back on denials about not using that one bit of software. It is a really good question to what extent the stuff they put in to debug the devices gets taken out before release to consumers. I suspect they may have a "hot coffee" problem.

    why the need to bury the software so deeply, so invisibly, and deny the customer any way to disable it?

    Two issues here. It seems as if there are varying degrees of ability to disable and being hidden ... this is completely decided by the carrier/device maker. Some device makers/carriers seem to have done a pretty good job alerting the user and giving them the ability to opt-out ... others don't even mention it is there. There have been some accusations that the system keeps logging even after being told not to ... I'm not sure that is accurate. But as I noted upthread ... as far as operation goes, you want something like this to be as invisible during operation as possible to minimize information leaks.

    Two points on above-board uses. There should ABSOLUTELY be an easy way to users stop the software from logging if desired. And there should be a clearly published statement of the precise information being collected from users devices and transmitted.

    As for the NSA stuff. The carriers can still monitor voice (and data) across their networks in the traditional way without needing to go through all this trouble. The bigger issue here is the whole business records thing IMO.

    So in theory couldn't the carrier update a particular subscriber's phone with a tweaked version? Say, one that reports back when he/she dials a particular number? Or punches in a specific URL?

    Absolutely. The training materials appeared to show one phone that had been given a unique "Metrics Package" seemingly to demonstrate this. To quote myself in the first CarrierIQ post ...

    Take for example this trigger:

    [AL35: loading started in a browser frame – data receive begin and end, page render begin and end.]

    This one hook potentially gives complete stateful control of the HTTP request, data processing and render pipeline. For one example, the ability to assert between the data receive and the page render operations gives an ability to implement advanced filtering rules on any web content handled by the device. It would be trivial to write a "Metrics Package" to eliminate a list of prohibited links ...  inject a branded graphic on any page ... or perform any other imaginable operation on every web request a device handles. It is not an exaggeration to say that every aspect of a device's operation and information/data security can potentially be fully compromised and modified ... without the user's knowledge or consent.

    I got in to a bit more of why this software should be a huge security concern in that first post ... was going to do a followup of potential security risks and nefarious applications if I get a chance (and also address the way mobile advertisers grab much of this information also).

    I just wanted to get it out there that CarrierIQ - the company - probably aren't the ones to be focused on; it's really the carriers and device makers who determine exactly what the software will do or not do. Additionally, focusing on Carrier IQ distracts from the fact that everyone is doing this in some fashion or another ... just because their software isn't called carrier IQ shouldn't protect from facing questions about whatever QA solutions *are* currently implemented.


    KGB wrote:

    "I suspect they may have a "hot coffee" problem."

    I wonder how long before one of the actors in this (CIQ and/or the carriers) offer an explanation along the lines of "....we're sorry; this was a mistake..."


    Eckhart's demonstration is somewhat misleading (not intentionally) ... it showed what was possible, not necessarily what was actually being logged. Ultimately the companies will be on the hook for what they have collected and transmitted; not what events the software latches at the OS level ... if we can ever get a straight answer.

    Currently (IMO) they are milking a lack of public understanding of the way the software works to leave Carrier IQ answering all questions about how the software functions. Carrier IQ is able to speak honestly about how the "stock" software works; but this version of the software is not actually implemented on any devices. People by inference are assuming their explanations also apply to the highly-customized implementations that are actually on devices. So carriers/device makers are pretty much avoiding any responsibility or questions about their own role in *making* their custom implementation or specific questions about how their implementations actually function and deviate from the Carrier IQ "stock" software being described.

    In short, Carrier IQ is totally shielding their customers and making a real explanation about what has actually been happening on people's active devices far less likely.

    What I wonder how many companies are quietly preparing and pushing updated "Metrics Packages" to change how the software works and reduce the opportunity for researchers to really break down what they have been up to.


    One other point.

    While I'm certainly not in a position to give them a "clean bill of health" ... superficially, it really looks like HTC has been using the software responsibly: alerting users that it's there, making data collection *opt in* and providing an easy way for the user to disable the reporting functions.

    OTOH, it looks like Samsung is *not* even telling users they are collecting it. In the case of the Evo, it really looks like Sprint did the implementation that Eckhart was dissecting.

    Now, Verizon is doing *something* that collects a bunch of this data ... but they say they aren't using Carrier IQ to do it. They don't appear to be building an opt-in/opt-out feature into their devices at all. The Verizon policy appears to be collecting data from all devices no matter what ... and agreeing not to sell/leverage the information if a user contacts their corporate web site and directs them not to.

    My point is that HTC's use of Carrier IQ is far less troubling than Verizon's use of whatever it is they have implemented with a different name. This is a carrier policy/behavior issue, not a "spyware" one.

     


    I'm not sanguine about installing apps, but Gizmodo discusses one that checks for Carrier IQ: How To Check If You Have Carrier IQ, Without Rooting Your Handset