High Performance Network Security, Enterprise and Data-Center Firewall

High Performance Network Security, Enterprise and Data-Center Firewall

Carrier IQ on Android - FAQ

by RSS Axelle Apvrille  |  December 13, 2011  |  Category: Security Research

Q1- The basics. What is Carrier IQ?

CarrierIQ is a controversial piece of code which was intentionally placed on several mobile phones by their vendors or carriers. It has the capability of monitoring and/or collecting various information - without user's consent.

Q2- What is Carrier IQ exactly doing?

Precisely, CarrierIQ (CIQ) has developed a series of hooks to monitor plenty of metrics such as:

  • HT01: HTTP request URI

  • AL15: browser's URL

  • MG01: SMS recipient and SMS center

  • MG03: SMS originator

  • MG11: MMS version, sender, recipient and relay URL

  • HW10: min and maximum battery voltage, capacity, model

  • HW11: battery's voltage and temperature

  • LC18: altitude, latitude, longitude, uncertainty, velocity...

See for instance the MG11 metric below:

MG11 metric used by CarrierIQ

A broader view of available metrics is available here and here.

Then, OEMs and carriers pick up which metrics they are interested in, and integrate it to the phone. The data goes to remote portals which are controlled by the OEMs or carriers.

Interesting to read: Dan Rosenberg, "Carrier IQ: the Real Story"

Q3- So in spite of what their executives are claiming, CarrierIQ "logs" my personal data?

The short answer is yes, it does: Some of your actions on your phone are being silently reported to a third-party without your knowledge, and this is what we call logging.

Now indeed, it is true that CIQ may not log all our actions, and that it does not do so for itself: indeed, although it constantly monitors** **everything, some actions may not be reported (and thus, simply dropped) to the carrier and/or vendor, depending on which metrics (see Q2 above) the latter cared to enable. As of this writing, we do not know which vendors/carriers enable which metrics.

Q4- Does it hamper my phone's security?

In short: yes. But if you have time for more details, read the reasons below.

  1. CIQ is no more no less than a rootkit - even if it was (perhaps) designed for benign usage. Like rootkits, CIQ's service runs as root on the phone. Like rootkits, CIQ hooks basic functionalities on the phone (keys pressed, opened applications, SMS received etc). Finally, like rootkits, CIQ tries to hide itself, and as a matter of fact, end-users weren't aware of its existence. CIQ does not display any application icon, it is not listed in installed application, and does not come with any policy.

  2. As Trevor Eckart's video shows, each time we press a key, this is shown as a new line of Android's logcat. Logcat is a system feature - it does not belong to CIQ - which is the first reason CIQ argues it does not log anything. True. But** if someone has access to logcat, he/she can still monitor all our actions** - which is a threat to your privacy and confidentiality.

  3. Moreover, actually, there is a log file: Carrier IQ has still admitted keeping a temporary log, and there are no details of how that temporary file is secure. The answer "it's not readable if you don't have our tools" does not sound good to me. It sounds like some hand-made obfuscation or crypto, and over years, this has never proven to be secure.

Interesting to read: Trevor Eckart, What is Carrier IQ?.

Q5- Do I have CIQ on my phone?

Carrier IQ has been found on several Android phones, but it actually also exists on other platforms, such as iPhone.

Fortinet detects it as Riskware/CarrierIQ!Android.

Alternatively, you may install an application to check if your phone has CIQ or not. There are Android apps for that, such as Lookout's Carrier IQ Detector or Project Voodo (not tried).

If you are a phone geek, you can do this manually by searching for one of the following files:

/system/app/com.htc.android.iqagent.apk
/system/app/com.carrieriq.tmobile.apk
/system/app/com.carrieriq.iqagent.apk
/system/app/com.carrieriq.attrom.apk
/system/app/HtcLoggers.apk
/system/app/HTCIQAgent.apk
/system/bin/iqfd
/system/bin/iqd
/system/lib/libciq_client.so
/system/lib/libciq_htc.so
/system/lib/libhtciqagent.so
/system/etc/iqprofile.pro

Interesting to read: Trevor Eckart, [DEV|APPv7] CIQ / HTC & Google Checkin / HTC loggers / Tell HTC Info & Removal

Q6- How to get rid of Carrier IQ?

Unfortunately, it is difficult to get rid of CIQ because it has been built directly into the OS of the device, or packaged in the OEM's/carrier's ROM.

Consequently, you need to first root the phone and then

  1. either you flash the ROM with a custom ROM that does not contain Carrier IQ.

  2. or you use Trevor Eckart's tool (1 USD)

  3. or you try the Remove CIQ script, that removes CIQ files on the phone.

We haven't tried any of these, so beware.

UPDATE Dec 16, 2001:

CarrierIQ does not leak SMS bodies** in the general case**. Actually, CIQ leaks the SMS in some cases only because of a design level bug: if CIQ is capturing GSM network traffic, at at the same time the phone receives a SMS, of course, the contents of the SMS will be included in the network capture...

-- the Crypto Girl

by RSS Axelle Apvrille  |  December 13, 2011  |  Category: Security Research
comments powered by Disqus

FortiGuard Labs on the Web

search results hidden links