How Deep Does The Rabbit Hole Go? An In-Depth Look At Carrier IQ, The Data It Logs, And What's Really Going On

Lately, we've talked a lot about Carrier IQ, the "service" that hides itself in the background of an unknown number of Android devices, harvesting information and sending it back to carriers. While it's still unclear how deep the rabbit hole actually goes, the dev who discovered it, TrevE, is still digging in search of the answer. His latest findings may shine a bit of light on the subject, and I can promise you one thing: it's not pretty.

CIQ's Cloak of Invisibility

If you want to build an app that is designed to harvest the data of unknowing customers, there's a good chance that it's going to be well-hidden. So well hidden, in fact, that there's no clear way to detect it, get rid of it, or even shut it down. All of these things are true for CIQ - you'll find very few traces of its existence in the smartphones in which it inhabits. When you do find it, however, there's no way to kill it.

^{Carrier IQ and its ten thousand permissions.}

A little backstory is in order here - these screenshots were taken by TrevE on his stock, unrooted EVO 3D. You can see that the device is in airplane mode, and no accounts were set to sync. This service was running right out of the gate, from the second he booted the device up.

So, what do you think happens when you tap that little Force stop box? I can answer that for you - nothing. That's right, the app won't die. Doesn't matter if you hit that button one time or fifty, it does nothing. Not only that, but take a look at that icon - very inconspicuous and generic, wouldn't you say? A large portion of users would just scroll right past that snake-in-the-grass and never give it a second thought. Shady, shady stuff.

This is just the tip of the iceberg, though - turns out that CIQ is embedded so deeply into the devices that it inhabits, there is no way to get rid of it unless the entire OS is recompiled from scratch. This includes the kernel, the OS, and any customizations made to stock Android. In other words, this is impossible to remove from a stock ROM, even with root access. It's a figurative hydra, and severing only one head doesn't even phase it.

To give you a better idea of how integrated CIQ is into the very soul of the device, I strongly urge you to watch this entire video from Trev. It's a bit on the lengthy side, but it's well worth it.

[EMBED_YT]https://youtu.be/T17XQI_AYNo

[/EMBED_YT]

An app that's well hidden? Check. Harvesting data without the users' knowledge? Check. Embedded so deeply within the root of the device that it's nearly irremovable? Check. Sounds like we have all of the qualifications of a full-fledged rootkit - one of the absolute worst types of spyware imaginable.

So, what does HTC say about all this? Typical it's not us! crap.

It is also important to note that the phones we build are a compilation of not only software and services from HTC, but also from third parties. These third-party applications and services, such as Carrier IQ (CIQ) and Google Check-in, serve to further improve the customer experience and have their own privacy policies. We encourage consumers to understand the specific policies of any application or service that is enabled on their device.

In all fairness, I will say that CIQ is not exclusive to HTC devices, it just so happens that this was the type of device used when CIQ was first found. That doesn't make them innocent by any stretch of the imagination, though - they have their own IQagent app bundled in, as well. It appears that this is HTC's "helper" app to CIQ, as it doesn't require any permissions of its own.

Oh, looky there - an About box! Great! You know what it tells us about the app? Nothing. It's blank. Way to go, HTC.

HTTPS? Nothing Is Safe From Carrier IQ

For those unaware, the S in HTTPS stands for secure. It's what keep your passwords and other sensitive data safe when sent across the web. It's provides encryption for said information, so whilst it's traveling through the airwaves, it's safe and snuggly, away from the awful people who want to steal your info.

Just because a website is using a secure connection doesn't mean it's one-hundred percent safe from end-to-end, though. You see, some information, including usernames and passwords, can still be sent plain text. For example, the username and password can be used in the address of the site, like www.mysite.com?username=MYNAME&password=MYPASS (Trev's example). Sure, it's encrypted while going down the tunnel, but guess who gets to see the raw link? Did you guess Carrier IQ? If so, go get yourself a cookie. You earned it.

Devices Without a Cellular Network Aren't Safe, Either

Let's think about the name of this thing for a minute - Carrier IQ. So, it's probably safe to say that this is all about the carriers, right? If that were true, then why would CIQ remain active once a device no longer has carrier service?

Let me back up for one second, CIQ claims that its services are stopped the second the SIM card is removed from the device, which is all fine and dandy... if you're on a GSM network. Those of us on CDMA networks aren't so lucky, though, because we don't use SIM cards. Thus, even when a device is deactivated from its network, it continues to send data back to the carrier, CIQ, and whoever else whenever you're on a Wi-Fi connection. Great.

So, What Does This All Mean?

It means there is some shady business going on in our world. It's right under our noses, yet we can do nothing about. The bottom line is this: our data is being stolen - there is no choice, we have no say. Any decent service would, at the very least, provide an opt-out, but not CIQ.

The information that I send across my cellular network, including SMS, email, websites I visit, all of that - it's mine. If I want to share this information with my carrier, then they damn well better ask me for it.

What's going on right now is an outrage - carriers have no business prying into our lives this way. I don't hold the carriers solely responsible for this, however, Carrier IQ is just as responsible (if not more) for creating a mandatory rootkit that is to be placed on our devices before we buy them.

For a more in-depth look at the entire picture, take a look at this post from TrevE. You'll find that he's done an excellent job of leaving no stone unturned.