Archive for the ‘Security’ Category

Verizon: “We Do Not Install Carrier IQ On Our Phones”

  • December 1, 2011 7:58 am

The ongoing drama revolving around the deeply invasive Carrier IQ mobile tracking software has another twist. Late yesterday VZW spokesperson tweeted (@VZWJeffrey) that Verizon Wireless does not use/install Carrier IQ software on any of their devices.

But is Verizon lying? Contrasting Verizon’s claim is this post by chpwn which shows strings for VZW (codenamed “Zepplin) plus mentions of AT&T and Sprint. Now, whether VZW activated it or not is uncertain (and again, up to them). Is Verizon lying and they are musing Carrier IQ? Is this technically not on Verizon’s shoulders and instead on Apple’s seeing as these are strings for iOS, and Apple is the only entity which can install such an application on the iPhone? The questions are growing with each passing day and unfortunately few answers are coming back in return.

If Verizon is telling the truth, the full force of our worries/anger should be placed directly on carriers’ shoulders as it is their decision to make use of the Carrier IQ software. And on that note, carriers should absolutely be actively telling customers that a software as deep and invasive as Carrier IQ is installed — it passes encrypted, secure information as plain text!

For now, iOS users may have a small saving grace. It appears that simply disabling diagnostics tracking and reporting in Settings.app on iOS 5 is enough to render Carrier IQ null & void — a sign that it’s not nearly as potent on iOS as we’ve seen on Android. Speaking of which, the information that iOS does send back to Apple is as follows (chpwn, via):

CoreTelephony
your phone number
your carrier
your country
active phone calls - (However, I only saw it noting that a phone call was active, not what number was dialed or it was received from. But, I am not going to claim it doesn’t do that: it’s certainly possible, but didn’t see it.)
CoreLocation
your location -(Only, however, if Location Services are enabled.)
(Possibly more I haven’t yet found.)

We’ve reached out to a couple of our VZW people to get more info on their non-use (and any potential future use) of Carrier IQ. Stay tuned…

Carrier IQ Is Present In iOS 5.

  • December 1, 2011 12:00 am


The Carrier IQ scandal took a big twist tonight when iOS hacker, chpwn, discovered mentions of the alleged heavy-handed tracking application hidden deep within older version of iOS (3.x and earlier). But after a little more digging chpwn has found Carrier IQ hiding it’s nasty face deep within iOS 5, too. This time instead of taking the “IQAgent” identifier, Carrier IQ poses as awd_ice#.

It goes without saying a lot of people are pissed that a program such as Carrier IQ is collecting their every keystroke — even highly encrypted passwords — and reading them back in simple plain text. Now that the “secret” is out in the open, any dev with ill intentions can scrounge up a ton of data by way of virus/malicious app.

We’re far from the end of this little unfolding drama, so stay tuned…

Buzzkill: Kindle Fire 6.2 Update Removes Root. (But You Can Re-root)

  • November 30, 2011 11:16 am

It appears Amazon is taking an Apple-like approach to Android root users of the new Kindle Fire tablet. The latest Kindle Fire 6.2 update not only adds vaguely worded “improvements”, it removes the root permissions. But don’t worry. It’s not all bad. You can update to 6.2 and then re-root using the same method that got you to your freed state pre-6.2.

There are also reports that the Android Market is removed, though it doesn’t happen on ever device and any apps downloaded via the Android Market reportedly still function.

We only wish the Kindle Fire had an option to disable auto-updating. While the ability to re-root dramatically lessens the impact for root users, future updates may not be so accommodating.

With that said, the necessary tools to re-root your Kindle Fire can be found right over here.

Carrier IQ Researcher Posts Video Showing Software Spying On Encrypted Transmissions.

  • November 30, 2011 12:28 am


The public image surrounding Carrier IQ, the company infamously called out by security research and XDA dev, Trevor Eckhart, just got kicked in the teeth while it was picking itself up off the ground.

If you recall, Eckhart accused Carrier IQ’s software of going way too far in how/what it tracks on mobile phones. (Read: it pretty much tracks everything — even encrypted transmissions.) Carrier IQ responded with a lawsuit which they then repealed shortly thereafter while also tossing an apology Eckhart’s way. Now Eckhart is hitting back once again with a new video that shows Carrier IQ software doing the very thing(s) the company claims they don’t — invasive tracking of private and encrypted user data. It’s so deep into the phone in fact that phone calls, text messages, passwords sent over HTTPS and other forms of communication are logged and easily read (provided you have the tools and know-how) before the phone notifies you that there is anything to see/hear.

We’ll clear the air and say that the type of tracking and data sorting that Carrier IQ essentially aims for is highly beneficial to carriers as well as consumers. For carriers it helps them understand end user usage habits and spot trouble areas in network coverage (among other things). For end users, the mere fact that the carrier is actively monitoring their network to make sure your experience is optimal is good enough we think. Unfortunately, Carrier IQ is lying right through their teeth when it comes to what the software does, not to mention being able to rather easily see the contents of transmissions sent via the secure HTTPS protocol is highly alarming.

When questioned again by Geek.com, Carrier IQ wouldn’t comment on the allegations above, simply stating that they “are looking forwarding to our meeting with EFF this week and will continue to keep you updated”

Paranoid/angry yet?

Video after the break. It’s long, but very informative and well worth the ~17 minutes required to see it from start to finish.

BlackBerry PlayBook Scores Root Access, Hulu Support With “DingleBerry” Tool.

  • November 29, 2011 1:27 pm


Playbook enthusiasts (all 6 of you), your day of freedom has arrived. Thanks to the combined efforts of three talented hackers, neuralic, xpvqs and Chris Wade, the PlayBook now has official root status. The app, humorously named “DingleBerry”, isn’t publicly available yet but should hit the www in the near future.

Besides super user access, users of DingleBerry will be able to re-enable the blocked Hulu app and even use said app without being subscribed to Hulu’s premium service that allows mobile usage.

For a tablet that’s so far left us with few stories worth following, this is a welcome surprise, that when released, should become a more formidable foe in the tablet world. If the developer/hacker world can continue bringing unofficial apps and services to the PlayBook, and dare we say possibly even Android, the PlayBook could go from nobody to somebody overnight. Here’s to hoping.

Video demos of the root access and Hulu hack being demoed after the break.

iPhone 4S Unlock In The Works - iPhone 4 Users Out Of Luck

  • November 28, 2011 10:55 am

Well, now that Black Friday and all of it’s shenanigans are over, it is back to the interwebs and all of it’s glory. While you were waiting in line to pick up your brand new oven mits, MuscleNerd was hard at work digging through code to find an exploit that will free the chains - not that they are so hard to get out of - of Apple and allow you to use the JesusPhone on any GSM network across the globe.

It seems that an exploit was found that will give the iPhone 4S users something nifty to look forward too. The unlucky and poor T-Mobile users will enjoy the news as well. It’s down right crazy that this doesn’t work on the iPhone 4 and I bet you Apple is kicking themselves if they didn’t plan on making it easier.

The Unlock won’t be released until there is a working Jailbreak available for the new iPhone, but once it is out, we’ll let you know! Anyone out there still count on the Dev Team unlock?

Watch Siri Control An Entire Room!

  • November 28, 2011 7:56 am


The potential for Siri is understandably quite high. While Apple has limited Siri’s initial abilities, the jailbreak/hacker community has already done some pretty awesome work in picking apart the code to find out just how Siri works. With that hurdle out of the way, developers can begin applying Siri to other aspects of life that Apple could take years to get to, if they ever do at all.

One talented developer by the name of Phildman14 on YouTube posted a video of his iPhone using Siri + Siri Proxy to control a number of items in his room including the curtains, ceiling fan/light, and desk lamp. It’s pretty crazy stuff and just goes to show incredibly powerful and simple Siri is.

Jump inside to see how Siri will begin to control the world, one room at a time…

Help The Chronic Dev Team Find Exploits!

  • November 27, 2011 4:22 am

With all the buzz on Twitter about what might be released tonight, we finally know what it is. About 10 minutes ago p0sixninja finished and released the post on the Chronic Dev Team blog. No, it isn’t an untethered jailbreak for the iPhone 4S and iOS 5.x. What it is is a cry for help. A need for iPhone users’ crash reports from their iPhones to find new and un-patched exploits.

Instead of allowing this vicious cycle to continue, we decided to write a new program to turn Apple’s own beast against its master, per se. All this program requires from you is to attach your iOS device to your computer and click a single button!

It is really that simple. After reading the blog post, and then downloading the application, I had submitted my crash reports before WordPress had enough time to open so I could write this post. The process is simple. The idea is great. Let’s forget about the lost exploits that Apple has patched and move on to bigger and better things. Hopefully we’ll see great things come from these reports!

Jump on in for a download link to the application…

Carrier IQ Suing XDA Member Who Found Their Spying Software Hiding On Android Phones.

  • November 22, 2011 11:38 pm

Own an HTC, Samsung, competing manufactures’ Android device? Chances are your phone is spying on you thanks to kernel-level tracking software by Carrier IQ. No, this isn’t another Android virus article, but one that is potentially more alarming given the depth of the tracking.

The gist of the story: Carrier IQ is installed on Android (and potentially more) devices from more mainstream manufactures (as listed above) and runs at an extremely low-level (read: kernel-level) environment. Because of this, end users have absolutely 0 control over how it racks, what it tracks, or when it tracks. Hell, we don’t even have the ability to see when it’s running or what data is being sent where.

Even more alarming, however, is how Carrier IQ has responded to the XDA memver who discovered the software, Trevor Eckhart (TrevE) — they’re suing him. The legal letters sent Trevor’s way are pretty intense and full of lots of C&D verbiage and legal buzzwords.

Cutting through Carrier IQ’s BS, it’s easy to see the company is simply trying to cover their tracks and keep the scope of their tracking out of the public spotlight. Unfortunately for Carrier IQ, it appears they’re all incompetent and/or haven’t heard of the Streisand effect — that is, trying to suppress potentially incriminating news will only lead to a much more public, brutal reveal down the road.

All that said, Trevor has signed the EFF as his legal council who know a thing or two about strongly worded legal letters themselves. Ball’s in Carrier IQ’s court now. This should be interesting…

  • Carrier IQ’s legal claim: Read
  • EFF’s official response to Carrier IQ’s claims: Read

Update

Carrier IQ has officially dropped the lawsuit and issued a formal apology regarding the matter.