New information about Carrier IQ revealed

Metrics

We've previously discussed the whole Carrier IQ/Tell HTC PR scam, the HTC Loggers debacle (which HTC actually fixed), and the ongoing WiMax vulnerability. And unfortunately, we're here today to talk about Carrier IQ (CIQ) again.

According to Sprint spokesperson Jason Gertzen, CIQ is used for service quality purposes.  "It collects enough information to understand the customer experience," he says, but they "do not and cannot look at the contents of messages, photos, videos, etc., using this tool." That sounds okay, right?

Maybe it were actually true. TrevE, discoverer of all of HTC's security flaws of late, has laid out a lot of new information about CIQ and says that it's "able to query any metric from a device." It can access every little drop of information that leaves my phone when certain triggers occur. Which ones?

You might be sorry you asked. Here are some of the triggers TrevE found:

Key in HTCDialer Pressed or Keyboard Keys pressed
Intent – com.htc.android.iqagent.action.ui01

App Opened
Intent – com.htc.android.iqagent.action.ui15

SMS Received
Intent – com.htc.android.iqagent.action.smsnotify

Screen Off/On
Intent – com.htc.android.iqagent.action.ui02

Call Received
Intent – com.htc.android.iqagent.action.ui15

Media Statistics
Intent – com.htc.android.iqagent.action.mp03

Location Statistics
Intent – com.htc.android.iqagent.action.lc30

TrevE calls CIQ a "rootkit" and cites Wikipedia to explain why:
A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications. The term rootkit is a concatenation of "root" (the traditional name of the privileged account on Unix operating systems) and the word "kit" (which refers to the software components that implement the tool).

And what happens to these metrics when triggers occur?

CarrierIQ-Flow

Essentially, CIQ is waiting for you to do something on your phone. This is the trigger. When you do that trigger, all the data (metrics) pertaining to it are sent to a remote server . Wait – a remote server!? "From training documents found," he says, "we get an insight to the Carrier IQ Portal.  Devices are displayed to the portal operator by individual phone Equipment ID and Subscriber IDs."

Ciqdevicelist

Singledevice

TrevE then delves into a specific example:

The "portal administrator" can put devices into categories and see devices in California that have dropped calls at 5pm.
The down side to all of this is the "portal administrator" is also able to "task" a single  phone with a profile containing any combinations of metric and trigger.  From leaked training documents we can see that portal operators can view and task metrics by equipment ID, subscriber ID, and more.  So instead of seeing dropped calls in California, they now know "Joe Anyone’s" location at any given time, what he is running on his device, keys being pressed, applications being used.

And there you have it!

Anyone who thought I was paranoid at the beginning of this article probably has their jaw on their desk now. TrevE's findings prove for a fact that HTC (and Samsung for some devices) has the ability to remotely track your phone's location.

Verizon Wireless has come forward and admitted to and laid out exactly what they do with the information acquired with CIQ. I don't condone what Verizon is doing with the data, but Sprint has "no privacy policy, retention policy, or public information on what they use [CIQ] for."

As we've talked about before, CIQ comes preinstalled on many newer HTC devices, including every single EVO out there. There is no way to opt in or out of CIQ, so to get rid of it, you have to:
  • Root your EVO (here is G&E's rundown of everything root)
  • Flash a ROM that has CIQ removed (specifically look for it, as not all ROMs have this rootkit removed)
  • Use TrevE's Logging Test App v7 to ensure that CIQ has been fully removed from the ROM you installed

For the record, HTC, this isn't that bad of a program. I would probably even support it. Just add a freakin' "Would you like to opt-in?" button!

[Android Security Test]
Pocketables does not accept targeted advertising, phony guest posts, paid reviews, etc. Help us keep this way with support on Patreon!

Sam Sarsten

Sam Sarsten is a former contributing editor at Good and EVO, which was merged with Pocketables in 2012.