The Mac Security Blog
Smartphone users have discovered a new name in recent days: Carrier IQ. It was discovered that certain mobile phones use software by this company – the Mobile Service Intelligence Platform – to track usage and send data to phone manufacturers and telecom companies. Security researcher Trevor Eckhart looked closely into what this software does, and discovered that it records keypresses, SMSs, URLs visited, and more. In fact, the software seems to be able to record – and send to third parties – just about everything a user does on their phone.
Eckhart first discovered this on a phone running Android – an HTC phone, which used the Sprint network. (He shows how this works in a YouTube video.) But subsequent research has shown that this occurs on a number of phones, and with a variety of carriers. The telephone companies claim, however, that they only use this software to collect information to improve network performance and quality of service. The handset manufacturers are blaming the carriers for “requiring” this software. This has turned into a hot potato, and has, once again, raised the spectre of people’s portable devices listening in on what they do, and sending information about their actions to third parties.
Engadget has an excellent Q&A about what Carrier IQ is and isn’t, and Cnet has collected a group of articles addressing the problem. What is most striking is how each company involved seems to try to pass the responsibility on to others. Engadget points out that, in spite of what the CEO of Carrier IQ said in a video posted to YouTube, the software is capable of collecting data and sending it to third parties; they examined patents held by the company, which describe the software’s capabilities.
This has gotten as far as the US Congress. US Senator Al Franken has asked for answers from Carrier IQ regarding what this software does, saying that the actions of the software “may violate federal privacy laws.”
And how does the iPhone fit in to this story? Apple has issued a statement regarding their use of Carrier IQ’s software:
We stopped supporting Carrier IQ with iOS 5 in most of our products and will remove it completely in a future software update. With any diagnostic data sent to Apple, customers must actively opt-in to share this information, and if they do, the data is sent in an anonymous and encrypted form and does not include any personal information. We never recorded keystrokes, messages or any other personal information for diagnostic data and have no plans to ever do so.
Apple calls information like this “diagnostic information,” and when you set up an iPhone, or other iOS device, you are asked if you want such information to be sent to Apple. If you said yes to this question, unaware of what this meant, you can turn this feature off. Tap the Settings app, then General, About, then Diagnostics & Usage. Then tap Don’t Send to turn this off.
While software such as this may indeed help improve quality of service, the real worry is that the data collected my fall into the wrong hands. Given the number of high-profile hacks of customer databases in recent months, one may assume that this data is not sufficiently protected. In addition, there are some kinds of data that this software seems to be capturing that it shouldn’t. There is no reason for it to record keypresses, especially because this will include any passwords that you type on your phone.
So, if you use an iPhone don’t worry. Turn off the Diagnostics & Usage collection, and you should be fine. However, if you use another phone, it seems there is no way you can turn off this data collection. Engadget has a roundup of which companies – handsets or carriers – use Carrier IQ.
Apple today released updates for Mac OS X Lion, iOS, the Apple TV, as well as iWork applications, iPhoto and more. Many of these updates include security fixes, and the total number of bugs patched is certainly a record for Apple.
Security Update 2011-006 includes fixes for both Mac OS X 10.6.8 and Lion (as part of the Mac OS X 10.7.2 update), patching more than 60 bugs.
The iOS 5 Software Update fixes dozens of security issues.
The Safari 5.1.1 update, included with the Mac OS X Lion 10.7.2 update, and available separately for Snow Leopard, patches dozens of bugs.
The Apple TV Software Update 4.4 patches a half-dozen bugs, and updates to Pages and Numbers for iOS patch even more bugs.
And updates to Pages and Numbers for iOS fix even more bugs.
This is a bumper crop for Apple, requiring users to download a number of very large updates. But with all these security fixes, Mac and iOS users can certainly sleep better tonight.
More information about these updates will be posted to Apple’s security updates page.
Gizmodo has selected Intego VirusBarrier iOS as their App of the Day. They point out exactly why a program like this is useful:
I’m not one to typically worry about viruses and malware and all that but for those who do, having that security blanket in VirusBarrier makes it a lot easier to sleep at night. Look, most of us aren’t dumb enough to click a link we shouldn’t be clicking anymore — it’s not 2001. However, I do get a lot of attachments in my emails these days and access random files from so many different points (Dropbox, FTP, etc), it’s easy to get lazy and careless.
A cross-scripting vulnerability affecting Skype’s iOS app has been discovered and a video has been provided, whereby sending a specific text message sent to a user can copy their Address Book. This attack uses Javascript, and, “Executing arbitrary Javascript code is one thing, but I found that Skype also improperly defines the URI scheme used by the built-in webkit browser for Skype.” The attack leads to the Address Book data to being sent to a remote server.
Contact information is not confidential in the way that, say, passwords are, but it does contain names, addresses, phone numbers and other data which hackers may use for identity theft, or e-mail addresses to use for sending spam.
Skype will have to update their app to fix this vulnerability. In the meantime, if you receive text messages from people you don’t know, you should stop using the Skype app immediately.
Apple has released security updates for iOS to fix a problem with certificate validation:
A certificate chain validation issue existed in the handling of X.509 certificates. An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS. Other attacks involving X.509 certificate validation may also be possible. This issue is addressed through improved validation of X.509 certificate chains.
The updates, iOS 4.3.5 for the iPhone (GSM), iPod touch and iPad, and iOS 4.2.10 for the CDMA (Verizon) iPhone, are available via iTunes. More information about the update is available here for iOS 4.3.5 and here for iOS 4.2.10.
Intego today released VirusBarrier iOS, a malware scanner for the iPhone, iPad and iPod touch. Based on the award-winning technology of Intego’s Mac OS X anti-malware tool, VirusBarrier X6, VirusBarrier iOS allows users of iOS devices to scan files attached to e-mail messages in the cloud for malware that could affect Macs or Windows PCs. VirusBarrier iOS is available from Apple’s App Store for only $2.99
The iPhone, iPad and iPod touch represent a new vector for bringing files into a home or business network. While there is no known malware for iOS, files can flow through these devices into computers at home and at work by e-mail, or via remote locations such as MobileMe or Dropbox. Mac and Windows viruses, malware and worms will take any path they can to get into home and work computers, and can easily be passed on to friends and co-workers directly from an iOS device, even though they do not affect iOS devices.
VirusBarrier iOS lets users easily scan e-mail attachments, other files they have access to on an iOS device, or files on remote locations such as MobileMe, Dropbox, web servers or WebDav disks. VirusBarrier iOS uses Intego’s award-winning VirusBarrier X6 scanning technology to detect and eradicate all known malware affecting Windows or Mac OS X: viruses, worms, Trojan horses, fake antiviruses, and other types of malware that might otherwise pass through undetected.
Due to the secure design of iOS, it is not possible to scan files automatically or to run scheduled scans. VirusBarrier iOS is an “on-demand” detection system that lets users scan files when they want to, or before passing them on to friends and associates.
VirusBarrier iOS is available from Apple’s App Store for only $2.99
VirusBarrier iOS offers the following features on demand:
- Scans of files received by e-mail, on remote locations, or on iOS devices
- Scans files for Mac, Windows and Unix viruses and malware
- Scans files for spyware, Trojan horses, adware, hacker tools, dialers, keyloggers and more
- Scans ZIP archives
- Repairs infected files
- Scans email attachments*, files downloaded from Safari*, and files accessed by applications supporting inter-app file transfers*.
- Scans remote locations in the cloud, such as Dropbox, iDisks and WebDav disks
- Scans websites for known phishing URLs, web threats, and malware hosting
- Automatically updates malware definitions
- Completes scans in the background
- Keeps logs of scans
- Includes a 1-year subscription to Intego’s market-leading malware definitions, generally updated twice a week (more if there are immediate threats discovered)
* Supported formats for inter-app file transfer: Microsoft Word, Excel and PowerPoint documents, PDFs, HTML files, JavaScript files, Windows executables (.exe), Windows .dll files, and others.
VirusBarrier iOS uses malware definitions that are updated regularly. When users initially purchase VirusBarrier, the program includes a 12-month subscription to Intego’s malware definition updates. Subscription renewals will be available at $1.99 per year via an in-app purchase.
System Requirements
• An iPhone, iPad or iPod touch running iOS 4.0 or later
VirusBarrier iOS is available from Apple’s App Store for only $2.99