Carrier IQ: Who Cares?

Greg Alexander, Dec 12 2011.

There is misunderstanding behind the current uproar over Carrier IQ. The problem is, Trevor Eckhart is an advanced persistent search engine optimizer, not a geek. His research is trivial, his conclusions are sensationalist garbage that do not follow from the data, and he's selling an Android app to detect this stuff. He is constantly misusing basic terminology just to make the threat seem greater. If you had my eyes, of course, this would instead make you doubt his veracity, but few of course care about the difference between an apk, a kernel, and a bootloader.

I will split this into two sections. First, I will analyze the smoke, which is in the form of a bunch of misleading claims from Eckhart about Carrier IQ. Then, I will analyze the fire, which is the true threat to your privacy posed by smartphones.

The Smoke

The Video

Eckhart posted a video, purportedly showing that Carrier IQ records keystrokes. The video shows logcat output. All android phones keep a log of system-level events that you can view from a shell or debugging connection with "logcat". It clearly shows that when he presses a button, logcat records the fact that Carrier IQ is informed about this action. The thing is, if that was the case, then Carrier IQ wouldn't be hidden at all, it would be boldly visible to anyone who ever uses logcat in the process of debugging their android application. In other words, every single Android developer would see these Carrier IQ messages scrolling by as they work on their app. Why don't they?

The answer is that he intentionally reconfigured Carrier IQ to log keypresses. In its regular configuration, as it is installed by the telco, it does not log keypresses. And with good reason -- if it did log keypresses, it would make your device slower, use more battery, and use more data. Plus the carriers would then sort through this information which is, frankly, uninteresting to them.

Blog posts

There is a circle of blog posts on the subject, all failing to cite any further information. Here's an example. They throw around phrases like "rootkit software installed in the RAM of the devices", which sounds very scary. But I'm not scared, I'm a geek. I want to know where it is actually installed, and that information isn't sufficient for me to find it (even if it was accurate, which it's not). If you read these various articles, you'll discover that it is in the bootloader, in the kernel, impossible to remove, absolutely hidden, etc.

Actually, as near as I can determine, it is an .apk file. It's one of the obnoxious pieces of bloatware that came pre-installed on your phone and that you can trivially remove if you root your phone and then access a shell and type rm /system/app/something.apk.

It's not in the kernel, or the bootloader.

In actuality, they are just sensationalist attention whores. If you pay any attention to the Android hacking community, you'll find that this variation on the script kiddy personality type has carved out a good-sized niche there. We should not be surprised at this result.

Carrier IQ lawsuit

Carrier IQ threatened to sue Eckhart because he is lying about their product. Slashdot assumed this meant the opposite -- that Eckhart was disclosing truths and Carrier IQ was suing to prevent the truth from disseminating. Carrier IQ realized the paranoid atmosphere into which they had injected the lawsuit, so they retracted their threat. They said they believe in freedom of speech and open research. But Eckhart is still lying.

The thing is, the fact of the lawsuit proves nothing either way.

But Eckhart _is_ lying.

The Fire

The reason I'm pissed off about this is that it is a tremendous distraction from the fire that is consuming what remains of our privacy. I'll go ahead and disclose my own bias here: I believe that most forms of privacy are obsolete and we'll somehow adapt. But misinformation won't help us adapt to this reality. And if we decide to resist instead of adapt, we will still need accurate information.

There are some stunning claims attached to this Carrier IQ debacle, which are all true and just completely unrelated to Carrier IQ. Let me go down a little list of them.

Your phone company knows who you call and text.
No f-in duh. How do you think they know to route your calls?
Your phone company can read the content of anything you send/receive unencrypted.
No f-in duh. How do you think they know what information to send to the other party?
Your phone company knows your location at all times.
Yes, since the 90s it has been trivial to triangulate the approximate location of a cellphone using statistics that the towers have to track in order to maintain their connection with your phone. This has been as true for the old Nokia bar phones as for modern smartphones and 3G tablets.
Google knows your location most of the time.
Try it on your phone, even try it on your laptop. I type "pizza" into my google and it pops up a map showing all of the nearby pizza places. It knows where I am! Even on my laptop, it can figure it out pretty accurately. On the phone, I use an app that takes it a step further and shows my actual distance to each of these pizza shops and gives me a literal arrow pointing at the physical location of the shop. It'd be kind of shocking if Google actually logged your location even when you weren't using their services, but it'd actually be irrelevant! Every single time you type something into the search bar on your phone, Google gets enough information to determine a pretty accurate estimate of your position. And you're happy that they do because it makes your phone just that much more useful!
Google knows every website you visit.
There are so many techniques Google uses to know this -- from search bars within browsers to ads embedded within webpages. This ship has sailed. I would say that for most users, 90% of the time Google could reproduce the exact contents of your browser window with stunning accuracy. They know what you're looking at. And a good thing, too! If they didn't, they would have no way to know what's worth looking at, and then their search results wouldn't be as useful.
Google knows a lot of other phone info.
When I upgraded from one Android phone to another, a lot of my settings were automatically imported into the new phone. That's kind of cool, but it is definitely super-creepy. My old phone had been sending its settings out into the Google cloud somewhere.

I want to give an example. In order to track every keypress on an Android phone, it is convenient to modify the /system/framework/android.policy.jar, which contains a class implementing WindowManagerPolicy, which contains methods interceptKeyTq() and interceptKeyTi(). If you can replace either of those two functions, you could easily monitor every keypress on the device, and there is no reason anyone would ever know about it because you would not have to emit anything into logcat, and you would get everything before any other layers of the OS.

You want to get suspicious? Samsung, at least for their Intercept line of phones, has rewritten those functions! They changed this core part of the android OS.

Why did they do this? To snoop my passwords? Actually, no. They did it because they thought Google hadn't put enough bugs in Android. To rectify this perceived shortcoming, they wrote their own unique dialer app and keyguards that were slow and buggy. These slow and buggy variations required changes deep within the Android OS in order to guarantee that their bugs would annoy me every time I interacted with the phone.

To say that the telco can monitor your phone is just, like, duh people. Duh. Carrier IQ is a total red herring, though.

That's only the tip of the iceberg. There is one specific claim Eckhart made that I do not believe is currently inescapable common practice: he claimed that your keys are logged even when you are interacting with an encrypted website. I do not think this generally happens. Mostly for expediency's sake -- who wants to sift through all that data?

On the other hand, it's eminently possible. If you have real security needs, you have to take that into account. Anyone who is the target of an advanced persistent threat (such as the CIA) has to be aware that it is physically possible for any smart phone to record any voice conversation nearby, in addition to keypresses. You probably won't find that capability in the built-in software, but if They care enough, They will hack your phone and install new software. And that software won't be Carrier IQ, it will be much more sinister. And hidden.

Conclusion

Please stop talking about Carrier IQ as though it has anything to do with your privacy. Yes the telco and Google and the device manufacturer can all monitor everything you do on the device. Duh. But Carrier IQ is the least of the tools in their collection.

This shit-storm is nothing but a bunch of good-old-fashioned FUD.

p.s. Every smart phone owner should read Vernor Vinge's book Rainbows End. It's a fun romp through a society you will realize is not near-future but in fact banal present.