Carrier IQ Software May Be in iOS, Too 234
New submitter Howard Beale writes with this excerpt from The Verge: "To date, the user tracking controversy surrounding Carrier IQ has focused primarily on Android, but today details are surfacing that the company also may have hooks into Apple's iOS. Well-known iPhone hacker Chpwn tweeted today that versions at least as recent as iPhone OS 3.1.3 contained references to Carrier IQ and later confirmed it's in all versions of iOS, including iOS 5." The details are still emerging; however, iPhone users will be happy to hear that while it's reported that the software is available to the OS, "the good news is that it does not appear to actually send any information so long as a setting called DiagnosticsAllowed is set to off, which is the default."
Handset Or Carrier? (Score:2, Interesting)
Is this software specific to various handsets or is it specific to the carrier?
So far it has seemed to me that this guy is using Sprint and thier phones seem to have it. But, people on AT&T are reporting that their phones do not have it.
Does anyone know for sure?
Re:How did the software get on an iDevice? (Score:5, Interesting)
Does that mean that Apple is complicit in installing Carrier IQ?
Yes. It was potentially something they were told to do by carriers, but Apple has had a habit of telling anyone that went against their worldview to fuck off, so I imagine it at least doesn't conflict with their intents.
Reassuring? (Score:5, Interesting)
"the good news is that it does not appear to actually send any information so long as a setting called DiagnosticsAllowed is set to off, which is the default."
This is supposed to be reassuring? How many people will ever read about this? And how long until it's turned on by default? Or perhaps turned on by a remote message.
I've found it useful as an example for people who don't understand why we need free/open software. This story simply means that if you use your phone to access anything that is protected by a password (or PIN or whatever), that little hidden bit of software is making a copy of your login, password, account numbers, etc., and sending it off to some site that you know nothing about. Whoever has that information can then get into your account and do as they like with it. I've seen a lot of worried looks, and I know a number of people who have held off on the idea of using their phone to access their bank accounts as a result of this information.
I try to get the idea across that, as long as there's any software that's not freely available to us software geeks ("hackers" to the media), so that we can study it and expose such little nasties, nobody's information or accounts or identities can be considered safe. This sort of software can and does send all your private information to some unknown strangers.
Also doesn't record UI/keypress info (Score:5, Interesting)
Not only is it off by default, apparently it's only allowed to access information at a layer that doesn't give away the farm. It's not recording your keypresses, the sites you visit (which apparently the HTC version does even if you're on WiFi) or anything else that's possibly a significant security risk. Supposedly, it really does act just as it's claimed to in the press releases.
(I'm aware that I use 'apparently' and 'supposedly'; I have no concrete info that I've tested myself, this is just what I've read today.)
Android (Score:5, Interesting)
Interestingly, it looks like the "pure" Android phones (i.e the Nexus line) don't ship with CarrierIQ [theverge.com]
Re:Reassuring? (Score:4, Interesting)
Because we all know it's impossible to hide such things like trojans in foss without anyone noticing for months on end, right? Oh wait... [wikipedia.org]
Re:easy to turn off as well (Score:4, Interesting)
the log files are right there in the phone and you can easily see them
this sounds like the issue with the touchpad where HP had the diagnostics set to max and the performance was crap. except in this case the manufacturers are using twice the RAM and twice the MHz CPU's for android phones compared to the iphone to make up for the overhead of this software.
most of the tech geeks creaming themselves over specs are idiots because they don't realize it's just for crap like this
Re:easy to turn off as well (Score:2, Interesting)
And what about the end users who dont know how to do that??? Is Android just for tech geeks only?
Who can turn it on? That's what matters. (Score:4, Interesting)
The question is, can a government agency or anyone else call up Apple or a carrier and have them remotely activate CarrierIQ on the iPhone?
I don't care if it's "off by default". I care if it's "controlled by the user". There's a clear and concise distinction, and Apple's track record does not lead me to believe that Apple doesn't have absolute control to remotely activate this or any other setting at their discretion. Even if they were unable to before, they may have added that remote capability since they've lost several phones before.
Re:Why does this CarrierIQ stuff matter anyway? (Score:3, Interesting)
When was the last time you got any useful technical support from a cell phone carrier? Those guys play a classic game of passing the buck, blaming your handset (which they didn't make) interference (which they can't control) and anything else that's not the service they provide.
The notion that some Level 42 World of Warcraft Paladin who spends his days providing tech support for a cell carrier:
1) Has access to any useful information that relates directly to your handset,
2) Has the analytical skills to determine its meaning without rolling a 20 sided die
is patently ridiculous. They'd at best have access to your current outstanding balance.
North Americans need to stop buying handsets from manufacturers: start buying unlocked, carrier independent handsets and you'll change the industry. As long as over 90% of us are committing to contracts that are longer than the average length of time your phone lasts, the oligarchy that is the North American cell phone industry can do whatever it wants.
Re:Reassuring? (Score:4, Interesting)
If anything, this demonstrates why Free Software alone is not the answer. In this case, the closed-source iOS is actually respecting your privacy more than the Open Source Android.
You still think that code is the answer, but it isn't. Dennis Richie demonstrated long ago how even access to the full source doesn't make you safe. As long as there is a part in the chain that you don't control, you can be fucked over.
This is a place where actually the legal solution is simpler, easier and more reliable than the technical one. Pass a couple good laws (the "good" part is where our current incompetend corrupt breed of wannabe-politicians are challenged) and enforce them. Sure, it doesn't give you the same 100% security that an EAL7 solution with explicit privacy specifications would - but it's not SciFi and it will work good enough for practical purposes the same way that making murder illegal doesn't prevent it completely, but well enough that in most of the civilized world where the rule of law works, people don't give the extremely remote possibility of being murdered a thought.
Re:Reassuring? (Score:2, Interesting)
Apple has for years included "diagnostic" tools that send back information on Macs. They're always opt-in and are easy to disable later. The same is true here. I don't see why they would change that by making it opt-out instead, since that's just the sort of bad publicity that they don't need, and they likely already have a large enough sample size from those who do opt-in to make any relevant decisions based on the data available (iOS 5 prompts the user during setup/upgrade regarding whether they want to opt-in or not).
Plus, keep in mind that Apple's customer is the end user, whereas the customer for many of these other companies is the carrier, a third-party advertiser, or some other entity that wants access to the user's information. It's in Apple's best interests to not piss of their users, since their users are their customers.
Re:easy to turn off as well (Score:4, Interesting)
I guess we are talking different languages. I said nothing about installing another OS on the iPhone nor do I believe that all that can be accomplished requires me to insert custom code into the kernel. I know that people are able to run daemons on the iPhone with upgraded privileges (root), since there was a default password exploit on the sshd service that the original jail break script installed years ago. I assume that most of the really "novel" software on the iPhone require a jail broken phone solely for the elevated privileges that are required to access some services/API which the stock iPhone won't allow.
Most of *my* modifications to the linux kernel involved making a driver for a new piece of hardware. I did have an occasion where I needed to patch the linux kernel for pulse per second synchronization and there was a flaw in the LinuxPPS code that triggered on both rising and falling edges of the PPS being fed on a serial port which required my correction. That said if I did need to something at the Kernel level on the iPhone, since iOS is based on the Mach kernel, I assume I could write a kernel extension for a jail broken phone. I assume since I don't have access to a jail broken phone, but I'm sure someone around here has experience. Anyway, I assume the iPhone hardware is well supported by iOS so I really don't know why you place so much value on the OS being open source for *this* particular part of the conversation.
You only assume that CarrierIQ isn't running unless you actually view the source code yourself. You also assume that a CarrierIQ like function doesn't exist in the phone's firmware that isn't explicitly covered by an open source license.
This is where we really differ. I support open source (professionally on occasion) yet my support doesn't rise to the level of zealotry. I do not disqualify any product solely on the basis that it's less open then other options.