New information about Carrier IQ revealed
We've previously discussed the whole Carrier IQ/Tell HTC PR scam, the HTC Loggers debacle (which HTC actually fixed), and the ongoing WiMax vulnerability. And unfortunately, we're here today to talk about Carrier IQ (CIQ) again.
According to Sprint spokesperson Jason Gertzen, CIQ is used for service quality purposes. "It collects enough information to understand the customer experience," he says, but they "do not and cannot look at the contents of messages, photos, videos, etc., using this tool." That sounds okay, right?
Maybe it were actually true. TrevE, discoverer of all of HTC's security flaws of late, has laid out a lot of new information about CIQ and says that it's "able to query any metric from a device." It can access every little drop of information that leaves my phone when certain triggers occur. Which ones?
You might be sorry you asked. Here are some of the triggers TrevE found:
Key in HTCDialer Pressed or Keyboard Keys pressed
Intent – com.htc.android.iqagent.action.ui01
App Opened
Intent – com.htc.android.iqagent.action.ui15
SMS Received
Intent – com.htc.android.iqagent.action.smsnotify
Screen Off/On
Intent – com.htc.android.iqagent.action.ui02
Call Received
Intent – com.htc.android.iqagent.action.ui15
Media Statistics
Intent – com.htc.android.iqagent.action.mp03
Location Statistics
Intent – com.htc.android.iqagent.action.lc30
A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications. The term rootkit is a concatenation of "root" (the traditional name of the privileged account on Unix operating systems) and the word "kit" (which refers to the software components that implement the tool).
And what happens to these metrics when triggers occur?
Essentially, CIQ is waiting for you to do something on your phone. This is the trigger. When you do that trigger, all the data (metrics) pertaining to it are sent to a remote server . Wait – a remote server!? "From training documents found," he says, "we get an insight to the Carrier IQ Portal. Devices are displayed to the portal operator by individual phone Equipment ID and Subscriber IDs."
TrevE then delves into a specific example:
The "portal administrator" can put devices into categories and see devices in California that have dropped calls at 5pm.
The down side to all of this is the "portal administrator" is also able to "task" a single phone with a profile containing any combinations of metric and trigger. From leaked training documents we can see that portal operators can view and task metrics by equipment ID, subscriber ID, and more. So instead of seeing dropped calls in California, they now know "Joe Anyone’s" location at any given time, what he is running on his device, keys being pressed, applications being used.
And there you have it!
Anyone who thought I was paranoid at the beginning of this article probably has their jaw on their desk now. TrevE's findings prove for a fact that HTC (and Samsung for some devices) has the ability to remotely track your phone's location.
Verizon Wireless has come forward and admitted to and laid out exactly what they do with the information acquired with CIQ. I don't condone what Verizon is doing with the data, but Sprint has "no privacy policy, retention policy, or public information on what they use [CIQ] for."
- Root your EVO (here is G&E's rundown of everything root)
- Flash a ROM that has CIQ removed (specifically look for it, as not all ROMs have this rootkit removed)
- Use TrevE's Logging Test App v7 to ensure that CIQ has been fully removed from the ROM you installed
For the record, HTC, this isn't that bad of a program. I would probably even support it. Just add a freakin' "Would you like to opt-in?" button!
[Android Security Test]