CarrierIQ: Most Phones Ship With "Rootkit" 447
First time accepted submitter Kompressor writes "According to a developer on the XDA forums, TrevE, many Android, Nokia, and BlackBerry smartphones have software called Carrier IQ that allows your carrier full access into your handset, including keylogging, which apps have been run, URLs that have been loaded in the browser, etc."
Since this was submitted, a few more details have come to light. The software was designed to give carriers useful feedback on aggregate usage patterns, but the software runs as root and the privacy implications are pretty severe.
Re:but but but... Apple (Score:5, Interesting)
Re:but but but... Apple (Score:2, Interesting)
Right, you're ok with Apple spying on you but not AT&T or Verizon? Fascinating.
Re:"Smart" phones are a dumb buy. (Score:2, Interesting)
Have you tried the Nokia N900?
Re:Really? (Score:4, Interesting)
I'm unclear here. Why isn't senior management and the board being hauled into court, forced to pay bail of a million bucks and the FBI seizing every single document within the United States? I mean, every time some fucking dipshit downloads a copy of some piece of Hollywood excrement, Congress and the courts are bending over backwards to punish the evildoer, but when major companies start throwing rootkit spyware on their phones, it's like "oh well."
If I was in charge, those companies would be facing destructive fines (hundreds of millions of dollars), senior management and the board would be cooling it in prison cells and facing stripping of every single asset they own and years of jail time ahead of them. I would make those fuckers so terrified that they'd wake up three times every night of the rest of their lives fearing that some marketing fuck had put something like that on the phones they're selling.
Comment removed (Score:5, Interesting)
2 Questions (Score:5, Interesting)
1) How can you authoritatively determine the android phone you are about to buy doesn't have Carrier IQ installed, BEFORE you buy it?
2) If you already have an android phone, (how) can you check for and uninstall Carrier IQ?
Re:Samsung Vibrant (Score:5, Interesting)
And, I'm betting it's the users paying for the data plan usage that sends this stuff.
So, you're paying extra to be snooped on. I highly doubt they exclude this data from what they charge you.
Re:2 Questions (Score:5, Interesting)
3. If your lawyer has this on his (her) phone, are they in breach of confidence? What about now that they know about CIQ?
4. If a medical *anything* has this on their phone, is this a HIPAA issue?
Re:Doesn't Matter (Score:5, Interesting)
Secondly, I don't consider it truly open source, unless I can reasonably make changes, which you can't do with Android phones currently on the market.
Re:some legitimate technical questions (Score:4, Interesting)
Cyanogenmod does not have CIQ in the first place.
It is also possible, with a LOT of work, to remove CIQ's hooks from the system using baksmali/smali (basically, a disassembler/assembler for Java).
Unfortunately, the developers on XDA who put forth NoCIQ mods seem to be considering this their "special sauce" to set themselves apart and get some donations - when asked where to look for hooks on a device they don't support, you get nothing but silence. No guides, even high-level ones oriented towards developers.
Re:Doesn't Matter (Score:4, Interesting)
You are right. It doesn't matter. I am not a tinfoil hat wearer because I am a Computer Systems Engineer and Network Administrator and I know how much data they can gather from you if they want to and have pretty much just stopped caring. They don't need any special app hidden on your phone to spy on you. They could record every single URL that you visit from their server end. Unless you are taking some extraordinary measures on your phone like running through proxies (which can then log everything you do themselves) or Tor they can already track all of your online activity. Does this make something like CIQ right, hell no, and I have already verified that my Android phone doesn't contain it. But, it also doesn't mean that I have any allusions that every URL I visit isn't being recorded somewhere. I just don't care because I don't do anything on my phone that I wouldn't want the world to know about anyway. That is why burner phones were invented ;-)
PS, if you want an interesting look into which Android apps are tracking you when you use them, check out the app:
Addons Detector