Perks Posted October 2, 2011 Share Posted October 2, 2011 Eu sei que o titulo é alarmista (à lá CM ) Antes demais, big thanks para o Trevor Eckhart por esta descoberta De qualquer forma estes dados não são enviados para lado algum, mas estão disponiveis num ficheiro, para um programa "artista" o poder utilizar, ou seja não é um problema da HTC obter os dados mas sim de uma app o poder fazer Nas customs ROMs (obviamente que não testei a totalidade, neste momento estou com a leedroid) isto não se passa mas continuando para o que interessa: Telefones afectados Note: Só stock Sense firmware deve ser afectado EVO 4G EVO 3D Thunderbolt Muito provavelmente o Sensation e outros The Vulnerability In recent updates to some of its devices, HTC introduces a suite of logging tools that collected information. Lots of information. LOTS. Whatever the reason was, whether for better understanding problems on users' devices, easier remote analysis, corporate evilness - it doesn't matter. If you, as a company, plant these information collectors on a device, you better be DAMN sure the information they collect is secured and only available to privileged services or the user, after opting in. That is not the case. What Trevor found is only the tip of the iceberg - we are all still digging deeper - but currently any app on affected devices that requests a single android.permission.INTERNET (which is normal for any app that connects to the web or shows ads) can get its hands on: the list of user accounts, including email addresses and sync status for each last known network and GPS locations and a limited previous history of locations phone numbers from the phone log SMS data, including phone numbers and encoded text (not sure yet if it's possible to decode it, but very likely) system logs (both kernel/dmesg and app/logcat), which includes everything your running apps do and is likely to include email addresses, phone numbers, and other private info Normally, applications get access to only what is allowed by the permissions they request, so when you install a simple, innocent-looking new game from the Market that only asks for the INTERNET permission (to submit scores online, for example), you don't expect it to read your phone log or list of emails. But that's not all. After looking at the huge amount of data (the log file was 3.5MB on my EVO 3D) that is vulnerable to apps exploiting this vulnerability all day, I found the following is also exposed: [*]active notifications in the notification bar, including notification text [*]build number, bootloader version, radio version, kernel version [*]network info, including IP addresses [*]full memory info [*]CPU info [*]file system info and free space on each partition [*]running processes [*]current snapshot/stacktrace of not only every running process but every running thread [*]list of installed apps, including permissions used, user ids, versions, and more [*]system properties/variables [*]currently active broadcast listeners and history of past broadcasts received [*]currently active content providers [*]battery info and status, including charging/wake lock history [*]and more Let me put it another way. By using only the INTERNET permission, any app can also gain at least the following: ACCESS_COARSE_LOCATION Allows an application to access coarse (e.g., Cell-ID, WiFi) location ACCESS_FINE_LOCATION Allows an application to access fine (e.g., GPS) location ACCESS_LOCATION_EXTRA_COMMANDS Allows an application to access extra location provider commands ACCESS_WIFI_STATE Allows applications to access information about Wi-Fi networks BATTERY_STATS Allows an application to collect battery statistics DUMP Allows an application to retrieve state dump information from system services. GET_ACCOUNTS Allows access to the list of accounts in the Accounts Service GET_PACKAGE_SIZE Allows an application to find out the space used by any package. GET_TASKS Allows an application to get information about the currently or recently running tasks: a thumbnail representation of the tasks, what activities are running in it, etc. READ_LOGS Allows an application to read the low-level system log files. READ_SYNC_SETTINGS Allows applications to read the sync settings READ_SYNC_STATS Allows applications to read the sync stats Resolver o problema ... Para isto é necessário root, e basta a remoção do Htcloggers (/system/app/HtcLoggers.apk). deixo em anexo duas apps para testarem se o HTCloggers está presente e um pequeno video explicativo ">" type="application/x-shockwave-flash" width="580" height="357"> http://dl.dropbox.com/u/18331466/loggingdangerapp.apk http://dl.dropbox.com/u/18331466/TrevE_Logging_TestApp_v4.apk [/code] [b][color=#0000ff][size=6]Stay safe [/size][/color][/b] Link to comment Share on other sites More sharing options...
Perks Posted October 3, 2011 Author Share Posted October 3, 2011 (edited) a HTC já reagiu dizendo que vai ser libertada uma actualização de software com uma correcção desta falha no xda já anda um leak de uma ROM com a referência 2.08 (sense 3.5 ) já a saquei, não instalei mas já deu para ver que pelo menos o ficheiro já não está lá, por isso já devem ter percebido na HTC que não são a Apple :trollface: Edited October 3, 2011 by Perks Link to comment Share on other sites More sharing options...
Perks Posted October 15, 2011 Author Share Posted October 15, 2011 Stock users European EVO 3D and Sensation OTA updates confirmed to fix the HtcLoggers Link to comment Share on other sites More sharing options...
Perks Posted December 1, 2011 Author Share Posted December 1, 2011 (edited) só um breve resumo depois desta falha descoberta, o developer continuou o trabalho encontrando uma vulnerabidade a que tinha a ver com log criado por uma empresa que se chamava carrier IQ cujo trabalho era recolher informações de uso dos smartphones e entregar os mesmos às operadoras (isto nos telemóveis bloqueados às redes, que são a maior parte nos USA). O problema começa quando se descobre que estes recolhiam tudo, e quando digo tudo é mesmo tudo, desde localização e chamadas até às teclas pressionadas, sendo que era transversal às stock ROMs dos principais players (HTC, Samsung, LG etc) "Carrier IQ provides telemetry to cellular carriers and manufacturers, and according to the company itself, its software is pre-installed on over 141 million phones. Now, a security researcher claims that the same software is monitoring every single key you press on your smartphone, reading your SMS, and logging much of the personal data you transmit, too —all with an app that you can't remove." Isto começa no Android porque a comunidade por trás com o fanatismo de desenvolvimento de ROMs tenta eliminar toda e qualquer app que cujo propósito seja desconhecido e a eliminação não faça diferença de desempenho Infelizmente está possibilidade não chega ao iOS, mas de certeza que instalou a dúvida e o resultado foi: Carrier IQ references discovered in Apple's iOS To date, the user tracking controversy surrounding Carrier IQ has focused primarily on Android, but today details are surfacing that the company also may have hooks into Apple's iOS. Well-known iPhone hacker Chpwn tweeted today that versions at least as recent as iPhone OS 3.1.3 contained references to Carrier IQ. We were able to independently verify that at the very least, references to Carrier IQ's servers do exist within iPhoneOS 3.1.3 in a file located at /usr/bin/ IQAgent. What exactly that binary is able to access or how it may communicate with either carriers or Carrier IQ is not yet known, though there are references to an IQAgent log on the device as well as references to collector.sky.carrieriq.com. For versions 4.0 and up, Intell on MacRumors' forums has found similar references to the http:// collector.sky.carrieriq.com location within /usr/bin/ awd_ice2, although we have not independently verified that yet. Again, no clear word on just what is or is not being tracked or collected. The story is developing, with chpwn promising a post providing as many details as he's been able to uncover thus far, including the possibility that the code wasn't enabled by default in iOS. We should emphasize that all we can say for sure at the moment is that iOS definitely contained references to Carrier IQ —but given how the story has progressed thus far, we expect there will be more to report on soon.http://www.theverge.com/2011/11/30/2601875/carrier-iq-references-discovered-apple-ios-iphone[/CODE] Como disse anteriormente, as custom ROMs estão livres disto Quanto ao iOS vamos a ver Também se fala que a maior parte das ROMs não Americanas não têm este problema, porque é uma decisão do operador meter isto na stock ROM ou não Edited December 1, 2011 by Perks Link to comment Share on other sites More sharing options...
panayotopoulos Posted December 1, 2011 Share Posted December 1, 2011 (...)cujo trabalho era recolher informações de uso dos smartphones e entregar os mesmos às operadoras (isto nos telemóveis bloqueados às redes, que são a maior parte nos USA). O problema começa quando se descobre que estes recolhiam tudo, e quando digo tudo é mesmo tudo, desde localização e chamadas até às teclas pressionadas, sendo que era transversal às stock ROMs dos principais players (HTC, Samsung, LG etc) "Carrier IQ provides telemetry to cellular carriers and manufacturers, and according to the company itself, its software is pre-installed on over 141 million phones. Now, a security researcher claims that the same software is monitoring every single key you press on your smartphone, reading your SMS, and logging much of the personal data you transmit, too —all with an app that you can't remove." Link to comment Share on other sites More sharing options...
RedHeart Posted December 1, 2011 Share Posted December 1, 2011 Vi, há um bocado, essa notícia no yahoo news. Buga lá buscar os chapéus de alumínio à arrecadação. Link to comment Share on other sites More sharing options...
Revenge Posted December 1, 2011 Share Posted December 1, 2011 Cyanogen user here. Carrier IQ é algo que não me assiste :-.. Link to comment Share on other sites More sharing options...
Perks Posted December 1, 2011 Author Share Posted December 1, 2011 Just to make things clear: Como disse antes, isto é em telefones Americanos que são comprados nas operadoras com todo aquele crapware. Nos que vêm livres e/ou vendidos na Europa isto não se passa. AOSP phones estão livres também. Custom ROMs estão livres No iOS como os updates são mundiais vão em todos, mas segundo já li no post do Rev ao lado, um simples desmarcar de uma opção no iOS 5 resolve o problema Link to comment Share on other sites More sharing options...
jr_cardoso Posted December 1, 2011 Share Posted December 1, 2011 http://www.theverge.com/2011/11/30/2601695/carrier-iq-controversy Link to comment Share on other sites More sharing options...
Revenge Posted December 2, 2011 Share Posted December 2, 2011 Cyanogen Team Everybody with access to a web browser over the last week or so has undoubtedly seen the recent upheaval about Carrier IQ. The truth is, Carrier IQ has been around for quite some time. It is one of the nastier examples of bloatware installed by carriers, and it is more than likely something that will always be there in some form or fashion. That is, as long as your phone is running the OEM provided version of Android. As this version of Android is based entirely on work from the Android Open Source Project, the CyanogenMod team would like to assure everyone that Carrier IQ has never, and will never be a part of our Operating System. There is no risk of this kind of software to ever be shipped as a part of CyanogenMod, period. Please, take it upon yourselves to educate anyone who is concerned about Carrier IQ, and offer them CyanogenMod as the only real opt-out they are likely to get any time soon. Revenge likes Cyanogen ps: OEM é diferente de AOSP. OEM é a versão do Android após passar pelas operadoras. Tipo, o P500 quando o comprei vinha com o Android modificado pela própria Vodafone, ou seja, com o lixo deles. E as operadoras é que colocam o Carrier IQ no Android. Seja como for, parece que as Operadoras Europeias não andam a fazer isso. Apenas as Americanas. Link to comment Share on other sites More sharing options...
Perks Posted December 4, 2011 Author Share Posted December 4, 2011 Já agora para enquadrar, declarações de algumas operadoras e Fabricantes Apple: We stopped supporting Carrier IQ with iOS 5 in most of our products and will remove it completely in a future software update. With any diagnostic data sent to Apple, customers must actively opt-in to share this information, and if they do, the data is sent in an anonymous and encrypted form and does not include any personal information. We never recorded keystrokes, messages or any other personal information for diagnostic data and have no plans to ever do so. AT&T: In-line with our privacy policy, we solely use CIQ software data to improve wireless network and service performance. Bell: Bell doesn't install or support Carrier IQ or similar programs. You may want to connect with the device manufacturers for the industry-wide perspective. Fido: Carrier IQ is not on any of our devices. Google, which has never shipped CarrierIQ on its Nexus devices: We do not have an affiliation with CarrierIQ. Android is an open source effort and we do not control how carriers or OEMs customize their devices. HP: HP does not install nor authorize its partners to embed Carrier IQ on its webOS devices. HTC: HTC, like most manufacturers, has an opt-in error reporting function built in to our devices. If your phone experiences an error, you have the option of 'Telling HTC' so we can make improvements to our phones. Details about this are in our privacy policy on each device and in order for data to be collected, you have to opt-in. If you do opt-in, we protect your privacy by de-identifying and encrypting the data. HTC is committed to protecting your privacy and that means a commitment to clear opt-in/opt-out as the standard for collecting any information we need to serve you better. Carrier IQ is required on devices by a number of U.S carriers so if consumers or media have any questions about the practices relating to, or data collected by, Carrier IQ we'd advise them to contact their carrier. It is important to note that HTC is not a customer or partner of Carrier IQ and does not receive data from the application, the company, or carriers that partner with Carrier IQ. HTC is investigating the option to allow consumers to opt-out of data collection by the Carrier IQ application. Microsoft: Windows Phones don't have CarrierIQ on them either. Nokia: Nokia is aware of inaccurate reports which state that software from Carrier IQ has been found on Nokia devices. Carrier IQ does not ship products for any Nokia devices, so these reports are wrong. RIM: RIM does not pre-install the Carrier IQ app on BlackBerry smartphones or authorize its carrier partners to install the Carrier IQ app before sales or distribution... RIM also did not develop or commission the development of the Carrier IQ application, and has no involvement in the testing, promotion, or distribution of the app. Rogers: I'm happy to confirm that we have investigated and Carrier IQ is NOT on any of our devices Samsung: Some Samsung mobile phones do include Carrier IQ, but it's very important to note that it's up to the carrier to request that Samsung include that software on devices. One other important point is that Samsung does not receive any consumer user information from the phones that are equipped with Carrier IQ. Sprint: Carrier IQ provides information that allows Sprint, and other carriers that use it, to analyze our network performance and identify where we should be improving service. We also use the data to understand device performance so we can figure out when issues are occurring. We collect enough information to understand the customer experience with devices on our network and how to address any connection problems, but we do not and cannot look at the contents of messages, photos, videos, etc., using this tool. The information collected is not sold and we don't provide a direct feed of this data to anyone outside of Sprint. Sprint is well known for our serious commitment to respecting and protecting the privacy and security of each customer's personally identifiable information and other customer data. A key element of this involves communicating with our customers about our information privacy practices. The Sprint privacy policy makes it clear we collect information that includes how a device is functioning and how it is being used. Carrier IQ is an integral part of the Sprint service. Sprint uses Carrier IQ to help maintain our network performance. T-Mobile US: T-Mobile utilizes the Carrier IQ diagnostic tool to troubleshoot device and network performance with the goal of enhancing network reliability and our customers' experience . T-Mobile does not use this diagnostic tool to obtain the content of text, email or voice messages, or the specific destinations of a customers' internet activity, nor is the tool used for marketing purposes. T-Mobile UK: I can confirm that Carrier IQ software is not and has not been installed on any T-Mobile phones. Verizon: To be 100% clear: Carrier IQ is *not* on Verizon Wireless phones. Motorola didn't have an official statement, but did mention that Carrier IQ is only pre-loaded as an operator requirement. According to MobileSyrup, Virgin Mobile Canada, Telus and Videotron have also confirmed that Carrier IQ is not loaded on any of their devices. A lookout lançou um detector de "carrier IQ" mais simples que o existente do Treve, my test https://market.android.com/details?id=com.lookout.carrieriqdetector Apple, HTC, Samsung, Motorola, AT&T, Sprint, T-Mobile and Carrier IQ Sued in Delaware Federal Court in Cell Phone Tracking Software Scandal WILMINGTON, Del., Dec. 2, 2011 /PRNewswire/ --The law firms of Sianni & Straite LLP of Wilmington, DE, Eichen Crutchlow Zaslow & McElroy LLP of Edison, NJ, and Keefe Bartels L.L.C. of Red Bank, NJ, have today filed a class action complaint in Federal Court in Wilmington, Delaware related to the unprecedented breach of the digital privacy rights of 150 million cell phone users. The complaint asserts that three cell phone providers (T-Mobile, Sprint and AT&T) and four manufacturers of cell phones (HTC, Motorola, Apple and Samsung) violated the Federal Wiretap Act, the Stored Electronic Communications Act, and the Federal Computer Fraud and Abuse Act. So, it begins Link to comment Share on other sites More sharing options...
Revenge Posted December 4, 2011 Share Posted December 4, 2011 Afinal não é apenas as operadoras, mas algumas marcas também. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now