D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

[LUG] Fw: Using a [linux] smartphone? You're pwned

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

It's left-pond centric, but may be of interest to some (many?) here.


*** Begin forwarded message:

Date: Fri, 16 Dec 2011 03:41:33 -0000
Subject: Using a [linux] smartphone?  You're pwned


"SmartPhones" = Android (linux, Google) and iCrap (Apple)

If you're unaware of the meaning of "pwned":

    <http://www.urbandictionary.com/define.php?term=pwned>
    <http://en.wikipedia.org/wiki/Pwn>

Short story: every keystroke, every URL, and everything you do on a
smartphone is captured and "sent home".  The company doing this is
"Carrier IQ" in Mountain View CA (near Google and a few miles from
Apple's HQ), and the spyware runs on Android linux, iOS, and other OSs.

Following are extracts of and links to what I've posted recently in the
relevant Usenet groups.

Details:

CarrierIQ is a Mountain View CA company whose software is embedded
in iCrap iPhones and Android devices to log all [logical] keystrokes,
URLs visited, etc. and sends the information home.

Background articles:

<http://www.wired.com/threatlevel/2011/11/rootkit-brouhaha/>
<https://www.eff.org/sites/default/files/eckhart_cease_desist_demand_redacted.pdf>
<https://www.eff.org/sites/default/files/eckhart_c%26d_response.pdf>

Today's zinger is the FBI rejects Freedom of Information Act (FoIA)
requests for information probably because they would be firebombed by
irate smartphone users.  More info:

<http://boingboing.net/2011/12/12/fbi-says-it-uses-carrier-iq-fo.html>
<http://www.muckrock.com/news/archives/2011/dec/12/fbi-carrier-iq-files-used-law-enforcement-purposes/>
<http://www.muckrock.com/foi/view/united-states-of-america/manuals-or-documentation-regarding-accessing-carrier-iq-data-fbi/947/>

For those who would like to form an "Occupy CarrierIQ" protest with
torches and pitchforks, here's the company's info from whois:

   Carrier IQ
   1200 Villa Street
   Suite 200
   Mountain View, California 94041
   United States
   650-625-5480
   <http://carrieriq.com/>

and their software is infecting several new phones every second per the
display on their website.

As found in today's comp.dcom.telecom:

Carrier IQ reacts badly to being caught with its hand in the cookie jar.

In the December 15th edition of Crypto-Gram, Bruce Schneier has this to
say about Carrier IQ and the company's reaction to the recent publicity
about its capabilities and customers:

    Carrier IQ Spyware

    Spyware on many smart phones monitors your every action, including
    collecting individual keystrokes.  The company that makes and runs
    this software on behalf of different carriers, Carrier IQ, freaked
    when a security researcher outed them.  It initially claimed it
    didn't monitor keystrokes -- an easily refuted lie -- and threatened
    to sue the researcher.  It took EFF getting involved to get the
    company to back down.

Rest is at <http://www.schneier.com/crypto-gram-1112.html>

Forget the "Occupy Carrier IQ" event; here are the missile targeting
coordinates for Carrier IQ:

    37Â 23' 47.70" N, 122Â 05' 01.30" W

If your SCUD or equivalent requires decimal coordinates:

    37.396583Â, -122.083694Â

In either case, ground zero is at 70 feet (21.34 m) above mean sea level.

Bruce Schneier (Chief Security Technology Officer, BT) wrote:
"
" One more detail is worth mentioning. Apple announced it no longer
" uses Carrier IQ in iOS5. I'm sure this means that they have their
" own surveillance software running, not that they're no longer
" conducting surveillance on their users. 

Relevant URLs:

<http://www.theregister.co.uk/2011/11/30/smartphone_spying_app/>

<http://www.informationweek.com/news/security/mobile/231903096>

<http://www.wired.com/threatlevel/2011/11/secret-software-logging-video/>

<https://www.eff.org/mention/carrieriq-backs-cease-and-desist-apologizes-trevor-eckhart-eff>

<http://www.engadget.com/2011/12/01/carrier-iq-what-it-is-what-it-isnt-and-what-you-need-to/>

<http://www.geek.com/articles/mobile/how-much-of-your-phone-is-yours-20111115/>

<http://www.informationweek.com/news/security/mobile/231903096>

<http://www.pcmag.com/article2/0,2817,2397156,00.asp>

Apple iCrap and Carrier IQ:

<http://allthingsd.com/20111201/apple-we-stopped-supporting-carrieriq-with-ios-5/>

Roundup of everything that's known about Carrier IQ:

<http://security.stackexchange.com/q/9416/971>



*** End of Forwarded message.

- -- 
 Regards  _
         / )           "The blindingly obvious is
        / _)rad        never immediately apparent"
There's no point in asking you'll get no reply
Pretty Vacant - Sex Pistols
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEcBAEBCAAGBQJO6v6sAAoJEEvDbGwXTTHBn1wH/1Sa6VCBqvnl7xwgSLDHs3Q9
aWQVh5+b5IdEylacvseYSdWSiNxBkpBe3ERJZApCwTi/wBX7OJIL6PDVfrE3TtiP
SbDTFohhYc/AQ8Xhi/iS7qP05OkZTAv5TvyYZT13phYtuLiZWG0s5/xmp9KXZHiv
PwRPef3sBvkeEDKPCFfC/Qomcv1l/Txg9QT2XJgzmHO6kdjxqQHFZgCzOEetXb8b
O5rVJJDUxE7C0E7Wu4GkQDHFSDnv3WgupV/iTv9qIJIygPkr1ZPeypUFFpSmOSpC
T2ov7RgpJG76NNCWtbKbFfmR8vVEiRQn3yTaqhB6UvaycIJGkyuwASYzmi199Ts=
=/9hl
-----END PGP SIGNATURE-----
-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq