Tag Archives: phone

Carrier IQ, an interesting story of deception or what we could call the Facebook syndrome

It all started with some findings published by Trevor Exkhart on his website a few weeks ago.

He found that a Californian based company called Carrier IQ (CIQ) had develop a software that was acting as a *key logger* and was installed by default on many different mobile devices: Android, Blackberry, Nokia Phones, iPhones (iOS 3.x to 5.x), and also tablets.

The important point here, is that this software is intentionally installed/provided by the devices manufacturers or network carriers. It is quite amazing how widespread the use of that spying software is (the BBC reported 140 Million devices). This is not limited to only one type of device or provider. What they collect might be different (apparently much less on iOS than Android), but it shows a systemic desire from companies who make and sell those devices to gather usage and user information.

This is what I would call, the Facebook syndrome!

The official stance from CIQ was that their software was only used for improving the “network experience” by providing some information back to carrier and phone manufacturer such as signal strength, network information, etc.
They explicitly stated that they “do not and cannot look at the contents of messages, photos, videos, etc., using this tool”.

This is not what you would say from a software that logs all the key pressed on your device…

Again, it is important to note that by default their software is not hidden (there is a visible check-mark in the status bar) but this can be modified by 3rd parties. And it is being modified!

One example given by Trevor is Verizon in the US, although you can opt out, by default the phones they sell will record and transmit (?) the following personal user information: any URL accessed, including potential search queries and the location of the device. This is what could be considered as a significant personal privacy invasion.

So how did CIQ reacted to Trevor’s post?
By sending him a Cease and Desist letter on the 16th of November!

They claimed Trevor was in copyright infringement (because of some of their publicly available training material having been referenced) and making false allegations.

As reported on The Register on the 24th of November, they eventually withdrew their legal threats thanks to the legal help of the EFF, who nicely summarizes the case on their website, and also to a new post showing exactly what Trevor meant by calling CIQ software a “root kit” (I called it a “key logger earlier”, but root kit is more accurate and also has wider security implications).

Trevor’s second CIQ article, goes into details as to why CIQ software is indeed a root-kit. With a video showing the different steps required to reproduce his tests. It also describes how the data is collected even if you are off the network and, at least on an HTC phone, the data is not really anonymised.

Since then, another mobile phone hacker has published some findings about CIQ, this time confirming that Apple has included CIQ software in all its iOS version from iOS3 to the latest iOS5. However, it seems that the information logged on the Apple devices is much less than what is logged on Androids': no URL nor SMS and the location is only sent if you have allowed for it to be, furthermore, that information is not transmitted by default but only if the user manually choose to send diagnostic information to Apple.

All this has generated an increasing level of noise and attention:

As pointed out in a ViaForensics article, it is not clear when and if the data CIQ logs on the phone is always transmitted or just remains on it. And if transmitted, to where? But if it is being transmitted, I have a little story for you…

A few years ago I went on holiday and decided to take an international data plan, I had an iPhone 3G at the time, and I did monitor my data consumption every day with the built-in iOS bandwidth statistics. I stopped using data on my phone when I reached 90% of my allowed and pre paid consumption.

I was therefore very surprised when I was charged for going over my data allowance by a good margin! How could I have miscalculated my data consumption by so much!? After complaining to my provider they eventually claimed that the built-in iOS bandwidth statistics were only showing average figures and were not accurate. I also read in some forum at the time, that Apple claimed their figures should be taken as an estimate only. With that in mind, I decided not to pursue further, accepted to pay the extra fee and promised myself never to use data roaming again.

Now, it would be interesting to know if all the network data generated by CIQ is counted in those mobile OS network bandwidth statistics or if, like the information it gathers, they are also hidden from view.
After all, if the provider goes at length to hide the data they collect from you, they probably don’t want you to see that sealed fat envelop leaving your phone!

If that’s that case, how legal is this?! not only spying/gathering user information is questionable but doing so could be at the expense of the user! Couldn’t it be considered as a hidden cost to their service? could it explain the unexplainable extra fee I had to pay?

So I have three final comments to make:

  1. Mobile device companies are like any others, they want users’ personal information, but unlike others, they have full control of the device you discuss you life on.
  2. Opting for usage statistics, should be just that, an optional choice! and it should be made clear that it could result in extra cost, especially when roaming!
  3. If CIQ data consumption is also hidden from mobile OS(es) statistics then this is an extra hidden cost to the user
Now, where have I kept my 10 years old beloved Nokia 8210?
UPDATE, 12th of December 2011: CarrierIQ has responded to the issues discovered by Trevor through a 19 pages document. Not sure I find it very convincing.

The increasing risk of 3G+ network within the corporate world

I remember a time where access to the internet from the work place was only available from a couple of “Internet Stations” and where the Internal company network was just that, Internal with no external links! At that time, to get around those controls, one could set up dial up/ADSL lines under his desk and it was deemed as a risk to the Internal Network integrity from within the company’s premises. This was not widespread and required a specific intent to bypass the company’s network policy.

Then came Wi-Fi and hotspots started to flourish everywhere, often basic security was forgotten, such as not bridging it to the Internal Network or not enforcing adequate access controls. It was, and still is, deemed as a risk to the company’s network integrity. Although this is a more widespread practise there are controls in place and detection mechanisms to remediate the related security risks.

Both are examples of uncontrolled access to company resources leading to Network Integrity risks.

Today with 3G and tomorrow with 4G we have a new uncontrolled ADSL equivalent access for most employee/3rd parties on the premises through the use of their newest smartphones/portable computers. This is a new risk which is being overlooked by many companies because the rise in those devices functionalities and connectivity is still not fully appreciated and often only considered as “it is just a phone”.

However, today, it provides uncontrolled internet access at the work place for anybody with a 3G+ compatible device. More importantly there are not many controls that can be put in place to prevent this to happen, unless you ask your staff and visitors to leave such devices at reception.

The main security control which is lacking is one that can enforce the company’s network policy on its premises. As you can only enforce such policy on the wired and wireless network, you cannot guarantee an employee/visitor will not access prohibited materials on the internet from the company’s premises using his own 3G+ connection.

The technical solution isn’t an obvious and easy one so far. More work with mobile providers should be taking place, to at least enforce some web usage policy on corporate provided networks (through mobile phones, tablets, 3G plans, etc). This would however have no effect on personal staff devices and 3rd parties. One thing I have heard at a recent conference was for the company to operate and control its own Cell tower.

Although this may sounds a bit extreme, the upcoming issue is that we are losing corporate control of the Internet access from within the company premises. As technology evolves and provides such “nomad” devices with improved bandwidth and functionality this uncontrolled Internet Access channel may become more of an issue.

Cellular Network Attacks

A few websites have been running a story today on an upcoming attack announcement/demo in next week black hat conference.

Instead of targeting the OS or a specific app, that attack would target bugs directly in a component used to send and receive calls, a baseband chip. Although technically it is still a software attack, the code used to control that chip, it would bypass any security measures in place at the OS level, and would especially be out of Apple/Google control. Such attack could be used to intercept calls or spy on a phone user by activating its phone microphone…

But then surely you would also need to find a bug in the microphone chip? Or elevate your privilege at the OS level from the baseband chip bug?
Anyway, eavesdropping on calls would at least be possible.

What makes this news interesting is both that duplicating a cell tower is becoming easier/cheaper (about $2k) and that you can’t secure and control everything, even in close systems such as iOS devices. Until they start manufacturing every single component, phone manufacturers will have to rely on a multitude of other vendors; all with different security agendas.

Now, if I was working for a security state agency I would invest in some key communication component companies… As hacking is becoming more and more lucrative/political, how long until the “bad guys” start thinking alike… but then you would call me paranoid ;)

Below is a link on the first website I read that story today:
MACWORLD