Tuesday 29 November 2011

Catch and kill the Carrier IQ spyware


CIQ must die

Carrier IQ is a spyware company that deserves to be sued straight into bankrupcy, and its owners should go to jail. Their product is a piece of spyware that comes preinstalled on many Android phones, iPhones, Blackberries , and Nokias. It reads all sorts of private information (location, web surfing, text messages, keystrokes, emails) behind your back. It even logs data sent over https as plain text, which defeats the purpose of end-to-end encryption used by PayPal, banks, webmail, etc.

CIQ phones home to Carrier IQ, Inc., which hands the info to its customers. Your data eventually ends up at phone manufacturers and operators. It's meant to improve cellular service, but it can collect such a truckload of sensitive data that it would make Big Brother drool like a little baby. CIQ should be killed like any other virus. Its makers deserve a slow and painful death.

For a detailed but non-geeky description of CIQ check out The Rootkit Of All Evil: CIQ on the xda portal. For all the gory details in geekspeak dive into the full CIQ discussion on the xda forum.

Trevor Eckhart (TrevE on the xda forum) discovered and exposed CIQs dirty business. Carrier IQ, Inc. obviously didn't like to have their crimes exposed. They even threatened to sue Trevor into silence, but after free speech organisation EFF got involved CIQ had to back off and shut up. That's a good start, but not enough. Carrier IQ should shut their mouths and shut down their business. Let's hope the legal system does the right thing and kills CIQ.

Many Android and other phones are sold with CIQ straight out of the box. There's usually no way to opt out from being spied on, and no way to get rid of this piece of junk unless you root your phone, alter the system files, and void your warranty.

If you bought your phone from an american wireless operator it's probably infected with CIQ. Infection rates in the rest of the world are lower. For example, the major operators in my country (The Netherlands) don't use CIQ. Europeans are still at risk, though. Vodafone Portugal is in bed with CIQ, which probably violates all kinds of european privacy laws. And it's not just network operators that shop at CIQ. Phone manufacturers like HTC and Samsung include CIQ or similar junk, so even if your phone is not carrier-branded you may still be spied upon.

How to catch the thief?

CIQ is a rootkit that hides itself from you. It won't show up in task managers, it doesn't have an icon in your app drawer, and you'll never know it's running unless your tech skills are well above average. On some phones it may show up as IQ Agent in the application settings, but it could also be running completely invisible unless you use third party tools to hunt it down.

The best way to catch the thief red-handed is with the Logging Test App from TrevE. This app catches CIQ and many other logging apps that may (or may not) be running on your phone.

You can also check for CIQ with Any Cut. If Any Cut offers to create shortcuts to IQRD and IQAgent your phone is infected.

Update: now that CIQ-gate made the mainstream media all kinds of new CIQ detecting apps appear on the market. Voodoo Carrier IQ detector is an open source app to catch CIQ. Although it's still a work in progress it is a lot more user friendly than the geeky app from TrevE. Another app to catch CIQ is Carrier IQ Detector from Lookout Labs, built by the company that makes Androids most popular free antivirus app. Virus killer Bitdefender made a CIQ detector too.

Kill the beast

You'll need root access to kill CIQ, and all ways to remove CIQ from your phone will void your warranty. Before you start, make sure to back up your system software just in case you need to get your hardware fixed.

Flashing a custom ROM like CyanogenMod will remove CIQ. Other custom ROMs are usually CIQ-free too. Keep a backup copy of your stock ROM in a safe place just in case.

The free version of the Logging Test App can detect CIQ for you, but it won't touch it. The Logging Test App can kill CIQ, but only if you upgrade to the paid version (one dollar). Warning: all phones are different, so the Logging Test App may not work on your phone or even brick it. Make sure you have a full system backup just in case the Logging Test App makes your phone unbootable.

You could try to sue your mobile operator or phone manufacturer to recoup the cost of the Logging Test App, but that would only work if you join a class action lawsuit. Of course you could buy the app from the Android Market, use it to get rid of CIQ, and then use the 15 minute window to get a refund. Or just keep the app, because removing CIQ is just one if its many useful features.

Removing CIQ by hand is possible, but very difficult. You can't just rename or delete the app files, because CIQ is integrated into your web browser, dialer, kernel, media player, SMS app, and other places. You'll need to extract all those bits and pieces, patch them, and flash them back into your phone. This keeps manual removal out of reach of everyone except a handful of experts who know how to edit source code. If you want to give it a shot anyway, start with this CIQ discussion on xda. It's very HTC-centered, but it should give you an idea where to look on other phones too.

Tame the beast

Although CIQ is very hard to remove, there's another way to stop it from phoning home. Just make sure it doesn't run. Your phone needs to be rooted to keep CIQ under control.

You can freeze its background processes with Titanium or MyBackup. The names of the processes depend on your phone, look for IQRD, System Manager (yes, really), IQAgent, or HTCIQAgent. Too bad that freezing apps only works with the paid versions of Titanium and MyBackup.

You can freeze CIQ for free grab with Bloat Freezer, but the business ethics of the maker of Bloat Freezer are as bad as those of CIQ.

Carrier IQ Process Killer kills CIQ when it tries to run. It won't restart until you reboot your phone, and then you can kill CIQ again. Anti Carrier IQ does the same.

find CIQ

Carrier IQ Detector (from Lookout Labs)
Bitdefender Carrier IQ Finder
Voodoo Carrier IQ detector

find and kill CIQ

Logging Test App by TrevE (finds CIQ for free, removes it for a dollar)
Android Security Test (Trevor Eckharts Logging Test App site)
Carrier IQ Process Killer
Anti Carrier IQ
CIQ discussion on xda (warning: full of geekspeak and raw code)

more about CIQ

The Rootkit Of All Evil: CIQ (xda on CIQ in non-geekspeak)


tweet this reddit digg this StumbleUpon digg this digg this

No comments:

Post a Comment