[conspire] Lessons from CarrierIQ

Rick Moen rick at linuxmafia.com
Fri Dec 2 22:18:33 PST 2011


Let's say you want to send something with a bit of security against
snooping, across the Internet.  In broad terms, you tend to send it 
across either an SSH tunnel or an SSL-wrapped http connection -- or some
close equivalent.  In any such cases, your theory is that you can pretty
well trust the security of that crypto-wrapped transport method, you
have at least conditional trust in the security of the machine at the
far end, and of course you trust the gadget you're typing on, because
it's yours and it's right in front of you.  Why wouldn't you trust it?
I mean, it's your computer, designed for you.

Metaphorically, such a connection is like a bridge, in that it's sturdy
and reliable if the bridge span is sound, if it has a sound footing on 
the near end, and if it has a sound footing on the far end.  If you're
in San Francisco, have a look at the massive SF anchorages of the Bay
and Golden Gate Bridges, on Rincon Hill and the Presidio near Fort Point, 
respectively.  They're extremely solid.  They have to be.

One fine day, you get one of those marvelous Android-based smartphones
through your cellular telco.  It probably comes with an ssh client and
https capability.  In not, off to Android Marketplace, and you're set:
You can now communicate across the Internet in privacy, because your
cellular works for you.


Well, guess what?

http://news.yahoo.com/smartphone-spying-204933867.html

Android developer Trevor Eckhart was on the trail of a weird hidden
software process on his Sprint-issued HTC EVO 3D, which runs Sprint's
load of Android 2.3.4 Gingerbread.  It seemed as if 'Carrier IQ',
professing to be an Android component, might be sending back a
tremendous amount of detailed 'user behavior logging' data to the
CarrierIQ company.  This, mind you, was not a user add-on but rather
something that arrived built right into the Sprint build of Android.
Eckhart discussed it with other developers, and they did the obvious
thing of asking HTC and Sprint:  'Excuse us, but is detailed personal
data including full session data getting shipped without our being asked
to Carrier IQ?'  Oh no, of course not.

Eckhart investigated, and found that the truth was otherwise, and in
fact worse -- and meticulously documented the fact that the Carrier IQ 
process was logging and reporting _everything_, including all user
keystrokes.  Picture that SSL or SSH session.  Yes, the span is
gloriously strong, but it turns out that your security footing (your
smartphone's local security) is mud and sand.  Hey, bridge collapse!
Except with corporate disinformation.

And lawyers.  Carrier IQ's attempt to Eckhart's blog-posting expose was
to attempt to muzzle him with a legal threat on copyright violation,
because Eckhart mirrored as documentation for his analysis Carrier IQ
technical manuals available at http://dis1.water.carrieriq.com/ until
Carrier IQ heard about the work of Eckhart and his fellow developers and
suddenly became shy about documentaiton, and also threatened him with
(probably) unspecified tort actions over 'false allegations' -- probably
defamation.

Eckhart talked to EFF, who cited 17 U.S.C. 107 and the Campbell v.
Acuff-Rose Music case, and also NY Times v. Sullivan and Hustler v.
Fallwell to Carrier IQ so they could understand the concepts
of fair use, the truth defence, and 'public figure':
https://www.eff.org/sites/default/files/eckhart_c%26d_response.pdf

Carrier IQ stopped threatening Eckhart (but I haven't read that they
ever apologised or ever formally withdrew their threat), but 
claim to this day they weren't recording user keystrokes -- pointlessly,
because they were and are, and Eckhart proved it past dispute.

Oh, wait, they issued a classic passive-aggressive non-apology apology
(https://secure.wikimedia.org/wikipedia/en/wiki/Non-apology_apology):
http://www.wired.com/threatlevel/2011/11/rootkit-brouhaha-apology/

   We are deeply sorry for any concern or trouble that our letter may
   have caused Mr. Eckhart [...]

Oh, we haven't done anything wrong, but we're devastated that Mr.
Eckhart got upset just because we threatened him with bullshit legal
claims, claiming we might be able to extract $150,000 in damages from
you.  Desolee, vraiment.  It's regrettable when computer geeks have
irrational reactions to simple everyday letters like that, but what can
you do?


You send an SMS or IM text message on your smartphone, and Carrier IQ
gets the entire text and all data.  You open an HTTPS connection to your
_bank_, and Carrier IQ gets the entire text and all data.

Which telco-loaded smartphones have this thing built in?  Hell, which
don't?  It's on 'most Android, BlackBerry and Nokia devices', according
to Adam Clark Estes of _The Atlantic Wire_ (linked story above).

   Eckhart has found the application on devices from Samsung, HTC, Nokia
   and RIM, and Carrier IQ claims on its website that it has installed
   the program on more than 140 million handsets.
   [RM:  Yep, see the front page at http://www.carrieriq.com/ ]



IN SOVIET TELCO, VENDOR SELL YOU


People, people, people.  Was nobody paying attention?  One of the first
lessons of the marketplace is how to determine when you are the
customer, and when you are the product.  (E.g., all of you lemmings
using 'free' webmail providers are definitely and solely product, not
customers.)

To this day, I am not willing to trust smartphones generally --
especially ones provided via telcos -- not so much because telco data
plans tend to be heinously expensive as because there is too much
temptation to, and precedent for, spying on my use of the phone and 
abusing the data.  The history of embedded appliances, including
embedded Linux, strongly suggests that the only way to prevent that is
to make it physically impossible.  Because otherwise, you will be sold.

Making it physically impossible entails the smartphone's software being
provided by me, not the telco, for it to be 100% open source (such as
the CyanogenMod community build of Android), and for it to be under my
control so that it runs only the processes I tell it to.

Exactly the same with computers, by the way.

Carrier IQ may be facing a big-ass class-action lawsuit:
http://news.yahoo.com/phone-rootkit-maker-carrier-iq-may-violated-wiretap-210436993.html
But, of course, they are hanging tough with the standard company line
that (freely interpreted) amounts to 'We're not logging individual
customer data, only storing anonymised metrics about performance,
operational problems, and quality assurance, and, besides, it's standard
and covered by various contracts we have with carriers and
manufacturers, and, besides, everyone does it.'

It's important to realise that there's some truth to what they say:  
The attitude that all the middlemen are entitled to help themselves to
the user's data, and then claim it was all just for anonymised metrics /
quality control / performance and certainly We Weren't Doing Anything
Wrong, And Also, Everyone Does It, and, besides, it's all for your own 
good, and there's a wugga-wugga something to opt out if you're
ungrateful and dont want this help -- is something you'll hear every time
you encounter hanky panky, expose it to public view, and call bullshit
on the cease-and-desist letter that follows.

The only way out is to insist on a smartphone that does only what you
tell it to, and whose initial software is from parties you can
reasonably trust.  

The CyanogenMod people occasionally have feet of clay
http://review.cyanogenmod.com/#change,5677
but at least not mud and sand like that metaphorical bridge.










More information about the conspire mailing list