The Mac Security Blog
Smartphone users have discovered a new name in recent days: Carrier IQ. It was discovered that certain mobile phones use software by this company – the Mobile Service Intelligence Platform – to track usage and send data to phone manufacturers and telecom companies. Security researcher Trevor Eckhart looked closely into what this software does, and discovered that it records keypresses, SMSs, URLs visited, and more. In fact, the software seems to be able to record – and send to third parties – just about everything a user does on their phone.
Eckhart first discovered this on a phone running Android – an HTC phone, which used the Sprint network. (He shows how this works in a YouTube video.) But subsequent research has shown that this occurs on a number of phones, and with a variety of carriers. The telephone companies claim, however, that they only use this software to collect information to improve network performance and quality of service. The handset manufacturers are blaming the carriers for “requiring” this software. This has turned into a hot potato, and has, once again, raised the spectre of people’s portable devices listening in on what they do, and sending information about their actions to third parties.
Engadget has an excellent Q&A about what Carrier IQ is and isn’t, and Cnet has collected a group of articles addressing the problem. What is most striking is how each company involved seems to try to pass the responsibility on to others. Engadget points out that, in spite of what the CEO of Carrier IQ said in a video posted to YouTube, the software is capable of collecting data and sending it to third parties; they examined patents held by the company, which describe the software’s capabilities.
This has gotten as far as the US Congress. US Senator Al Franken has asked for answers from Carrier IQ regarding what this software does, saying that the actions of the software “may violate federal privacy laws.”
And how does the iPhone fit in to this story? Apple has issued a statement regarding their use of Carrier IQ’s software:
We stopped supporting Carrier IQ with iOS 5 in most of our products and will remove it completely in a future software update. With any diagnostic data sent to Apple, customers must actively opt-in to share this information, and if they do, the data is sent in an anonymous and encrypted form and does not include any personal information. We never recorded keystrokes, messages or any other personal information for diagnostic data and have no plans to ever do so.
Apple calls information like this “diagnostic information,” and when you set up an iPhone, or other iOS device, you are asked if you want such information to be sent to Apple. If you said yes to this question, unaware of what this meant, you can turn this feature off. Tap the Settings app, then General, About, then Diagnostics & Usage. Then tap Don’t Send to turn this off.
While software such as this may indeed help improve quality of service, the real worry is that the data collected my fall into the wrong hands. Given the number of high-profile hacks of customer databases in recent months, one may assume that this data is not sufficiently protected. In addition, there are some kinds of data that this software seems to be capturing that it shouldn’t. There is no reason for it to record keypresses, especially because this will include any passwords that you type on your phone.
So, if you use an iPhone don’t worry. Turn off the Diagnostics & Usage collection, and you should be fine. However, if you use another phone, it seems there is no way you can turn off this data collection. Engadget has a roundup of which companies – handsets or carriers – use Carrier IQ.
Apple has just released iOS 5.0.1, for the iPhone, iPad and iPod touch. In addition to several bug fixes and improvements (notably concerning battery life for iOS devices), this update contains several security fixes. Some of these fixes involve network access, fonts, kernel issues and the passcode lock, but one is worth noting.
Impact: An application may execute unsigned code
Description: A logic error existed in the mmap system call’s checking of valid flag combinations. This issue may lead to a bypass of codesigning checks. This issue does not affect devices running iOS prior to version 4.3.
This is the bug that security researcher Charlie Miller unearthed just a few days ago, that we reported on here. While it may seem that Apple reacted quickly, patching this bug in just a couple of days, Miller had stated that he had informed Apple about the bug before they removed his program from the App Store. Full information about the security content of this update is available here.
This is the first iOS update available by “over the air,” or OTA, updating. You can get the update by connecting your device to iTunes, as in the past, or you can go to Settings > General > Software Update. Your device will show you information about the new update, and you can tap Download and Install to install it directly. One big advantage to this type of update is that the updates are incremental; instead of some 500 MB for a full iOS download, this update shows as around 40 MB, on our iPad and iPod touch, and 45 MB for iPhones.
Mac and iOS security researcher Charlie Miller discovered a flaw in Apple’s code signing system. Using this exploit, Miller said that, “you could have a program in the App Store like Angry Birds that can run new code on your phone that Apple never had a chance to check. With this bug, you can’t be assured of anything you download from the App Store behaving nicely.”
The vulnerability is as follows:
To increase the speed of the phone’s browser [...] Apple allowed javascript code from the Web to run on a much deeper level in the device’s memory than it had in previous versions of the operating system. In fact, [Miller] realized, the browser’s speed increase had forced Apple to create an exception for the browser to run unapproved code in a region of the device’s memory, which until then had been impossible.
According to the Forbes article linked above, “The simple program appears to merely list stock tickers, but also communicates with a server in Miller’s house in St. Louis, pulling down and executing whatever new commands he wants.” Once this was made public, Apple removed the app, and has also revoked Miller’s membership in Apple’s iOS developer program.
Miller did break Apple’s rules, but he also highlighted what could be a very serious flaw in the way iOS applies code signing. In doing so, he has exposed a vulnerability that needs to be patched in order to protect iOS users. Miller will be presenting this vulnerability next week at the SyScan conference in Taiwan.
This happened very quickly, but when syncing an iOS device yesterday, we noticed that Google safe browsing data was being synced to the device. It’s fair to say that, for many, updating iOS devices to iOS 5 was fraught with much annoyance, and when it finally worked, it was easy to not pay close attention to the process. But in the iTunes LCD (the part at the top of the iTunes window that shows the playback timeline and other information), we spotted a message saying “Downloading Safari safe browsing data.” This database, provided by Google, is used by mobile Safari to check for known malicious web sites. To check if this is activated on your iOS device, go to Settings > Safari, then look for the Fraud Warning slider. If it’s not set to “On,” do so; it’s a good way to protect your device and yourself from known malicious websites.
We’re curious as to how often this database will update – whether it’s going to be regularly updated, such as daily or weekly, or whether updates will only come occasionally. If you spot a regularity to these updates, let us know in the comments.
Update: syncing our iOS devices over the past couple of days, it seems that this update occurs once a day, but we have no idea at what time the update is made available.
Apple today released updates for Mac OS X Lion, iOS, the Apple TV, as well as iWork applications, iPhoto and more. Many of these updates include security fixes, and the total number of bugs patched is certainly a record for Apple.
Security Update 2011-006 includes fixes for both Mac OS X 10.6.8 and Lion (as part of the Mac OS X 10.7.2 update), patching more than 60 bugs.
The iOS 5 Software Update fixes dozens of security issues.
The Safari 5.1.1 update, included with the Mac OS X Lion 10.7.2 update, and available separately for Snow Leopard, patches dozens of bugs.
The Apple TV Software Update 4.4 patches a half-dozen bugs, and updates to Pages and Numbers for iOS patch even more bugs.
And updates to Pages and Numbers for iOS fix even more bugs.
This is a bumper crop for Apple, requiring users to download a number of very large updates. But with all these security fixes, Mac and iOS users can certainly sleep better tonight.
More information about these updates will be posted to Apple’s security updates page.