David Frederick's | iAIR BLOG

Consulting, Innovation, Strategy, Vision, Education, & Ideation

Archive for the ‘Security’ Category

UPDATE – Carrier IQ

Here is a brief update on the Carrier IQ debacle. Check it out!

-DF

A group of three law firms late last week announced (via BGR) the filing of a class action lawsuit against Apple, Carrier IQ, and five other companies over privacy issues related to Carrier IQ’s logging software. The list of defendants also includes hardware manufacturers HTC, Samsung, and Motorola, and carriers AT&T, Sprint, and T-Mobile.

The carriers and manufacturers last month were caught willfully violating customers’ privacy rights in direct violation of federal law. A technology blogger in Connecticut discovered last month that software designed and sold by California-based Carrier IQ, Inc. was secretly tracking personal and sensitive information of the cell phone users without the consent or knowledge of the users. On Nov. 30, 2011, the United States Senate Committee on the Judiciary said in a letter to Carrier IQ that “these actions may violate federal privacy laws.” It added, “this is potentially a very serious matter.”

While it appears that the version of Carrier IQ’s software installed on iOS devices is much less capable than that found on Android devices, concerns have still arisen over just what information is being logged and transmitted back to Carrier IQ to be passed on to carriers. For its part, Apple has claimed that it has stopped supporting Carrier IQ in iOS 5 and that it will remove all remaining traces of the service in a future iOS update.

Much of the focus has been on Carrier IQ itself and the carriers that have partnered with the company, but hardware companies have also become involved in the controversy. German regulators have already begun pressing Apple for details on its usage of Carrier IQ data, and other authorities will likely also turn to Apple and other hardware companies as the story continues to develop.

Written by David Frederick

December 6, 2011 at 1:59 PM

Posted in Business, Security

Mobile Spyware And Why You Should Be Concerned

Technology is truly a marvel, and like many “marvels” it can be used for good and evil. Apparently, the good folks at our mobile carriers are very interested in what you do with your mobile/smart phone. Consensual Data Capture is one thing, spying…. yes spying is another. No this isn’t a three-letter government agency doing this, but our mobile carriers or literally anyone else who happens to buy the right software to access the embedded spyware.

It was bad enough that “certain” organizations were tracking Black Friday shoppers without their knowledge in malls via their mobile/smart phones, but now we are learning about a new and very disturbing revelation around the amount of data, communication, and PII (Personally Identifiable Information) mobile carriers are collecting, whose using it, and how they are collecting it.

Don’t get me wrong, I am all for ways in which to drive and capture consensual consumer behavior, KPI’s, market metrics, and behavior to help drive more effective solutions, services, usage, and strategies, but the consumer should be informed AND give their consent to allow the capture and usage of this information. Apparently, this is not the case here.

Remember when Apple was tracking people’s location movements via their iPhone’s and cataloging the data? This is way worse. Of course, Apple was forced to stop that practice. But this new embedded spyware? If you own a non-Apple smart phone you should check out this disturbing article. So far, it effects 100 million of you. Even you do own an Apple iPhone, you should still check it out. This could still be happening with your iPhone.We just don’t know yet.

-DF

Tens of Millions of Smartphones Come With Spyware pre-installed, Security Analyst Says

Over 100 million smartphones are tracking their owners’ every step, Android developer Trevor Eckhart claimed, thanks to software that comes pre-installed on phones from most major carriers.

During a security demonstration revealed on Monday, Eckhart showed how software developed by Carrier IQ tracks virtually everything a user does — going as far as logging individual keystrokes and button presses. The company claims it helps its customers improve quality and performance “by counting and measuring operational information in mobile devices.” Security experts call it spyware.

“I assume that when I SMS my wife on the phone, no one is intercepting that message,” Chet Wisniewski of security firm Sophos told FoxNews.com. He called the whole ordeal is a “serious invasion of privacy.”

“Why do they need to know when I’m logging into Bank of America, when I’m accessing my password? It’s a different level of snooping,” he said.

Developed as a mobile analytics platform, Carrier IQ’s software can be found on most Android, BlackBerry and Nokia phones — over 140 million phones in total, the company’s website boasts. Some reports suggest Apple iPhones may carry the software as well.

The company has flat out denied that its software records keystrokes, a claim Eckhart’s latest video seems to refute.

“Every button you press in the dialer before you call,” Eckhart says in his latest video, “it already gets sent off to the IQ application.”

Eckhart did not return FoxNews.com phone calls, and Carrier IQ declined to comment on his claims. A statement on the company’s website reiterates the company’s claims that its software does not track customers or record keystrokes.

“This information is used by our customers as a mission critical tool to improve the quality of the network, understand device uses and ultimately improve the user experience,” the company said. By evaluating these metrics, Carrier IQ aims to help with issues such as “dropped calls and battery drain.”

In videos showing Carrier IQ at work, Eckhart showed it going beyond such utilitarian monitoring. He showed Carrier IQ’s software monitoring entire text messages, a Google search, and his location, even during sessions protected by HTTPS, a security protocol that encrypts communications for sensitive transactions like online banking.

Sprint has acknowledged using Carrier IQ’s software, but denies having access to personal data.

“Carrier IQ provides information that allows Sprint, and other carriers that use it, to analyze our network performance and identify where we should be improving service,” Sprint told CNET earlier this month. “We collect enough information to understand the customer experience with devices on our network and how to address any connection problems, but we do not and cannot look at the contents of messages, photos, videos, etc., using this tool,” Sprint continued.

While Wisniewski understands the needs for data and metrics, he believes carriers must be more forthcoming about how they are monitoring their users, what data they are collecting, and how they are protecting that data.

“If you’re going to collect that kind of information from people, you have to meet a different standard,” Wisniewski told FoxNews.com.

But for now, most users are stuck, unable to even turn off or uninstall the program.

“The Carrier IQ application is embedded so deeply in the device that it can’t be fully removed without rebuilding the phone from source code,” Eckhart wrote on his website.

“Even where a device is out of contract, there is no off switch to stop the application from gathering data.”

Read more: http://www.foxnews.com/scitech/2011/12/01/is-your-smartphone-secretly-spying-on/#ixzz1fJJ3Zfhk

Written by David Frederick

December 1, 2011 at 2:58 PM

Online Filter Bubbles

Check out this very interesting video from Eli Pariser at a February 2011 TED Event. Very interesting on how search engines, content providers and other web providers are giving you what they think you need versus what you actually want. Eli makes a very interesting case that as web companies strive to tailor their services (including news and search results) to our personal tastes, there’s a dangerous unintended consequence: We get trapped in a “filter bubble” and don’t get exposed to information that could challenge or broaden our worldview. Eli argues powerfully, that this will ultimately prove to be bad for us and bad for democracy.

Check it out here!

Apple’s Bug – Update

Hmmmm.. Nice try guys. Just fix it and stop doing it. Or at minimum, ask out permission. Apple has admitted that iPhones store location information and plans a patch to scale back that data collection — but the company says widespread complaints and privacy fears mischaracterize what information is on its phones. What Apple isn’t saying is that regardless of the what type of data is captured, stored, used, etc. it doesn’t matter. You need to ask the users permission. Unless of course, Apple puts the fine print and implied consent into the ULA of the iTunes updates. Which NO ONE EVER READS. That is my bet on how this will be resolved.

-DF

FROM FOX NEWS

Apple has admitted that iPhones store location information and plans a patch to scale back that data collection — but the company says widespread complaints and privacy fears mischaracterize what information is on its phones.

In a lengthy question and answer statement posted to its website, Apple said the data file uncovered by researchers and publicized last week isn’t a log of a phone’s location, but a list of Wi-Fi hotspots and cell towers nearby. That helps the phone figure out its location without having to listen for faint signals from GPS satellites.

Tracking is a normal part of owning a cellphone, of course. But what’s done with that data is where the controversy arose.

Neither Apple nor Google immediately responded to FoxNews.com requests for additional information.

Apple’s comments are the company’s first comprehensive response to allegations that iPhones — as well as Google-based Android phones — store up to a year’s worth of user-location data, reports that have drawn attention from Congress and the ire of its users.

“Apple is not tracking the location of your iPhone,” the company said in an issued statement. “Apple has never done so and has no plans to do so ever.”

The company claims that the location data people are seeing is a crowd-sourced database of nearby Wi-Fi hotspots and cell phone towers, collected for a new feature Apple plans to roll out in the future.

“These calculations are performed live on the iPhone using a crowd-sourced database of Wi-Fi hotspot and cell tower data that is generated by tens of millions of iPhones sending the geo-tagged locations of nearby Wi-Fi hotspots and cell towers in an anonymous and encrypted form to Apple,” the company said.

“This data is not the iPhone’s location data — it is a subset (cache) of the crowd-sourced Wi-Fi hotspot and cell tower database which is downloaded from Apple into the iPhone to assist the iPhone in rapidly and accurately calculating location,” the statement explained.

Apple revealed that it is also collecting anonymous traffic data to build a crowd-sourced traffic database with the goal of providing iPhone users an improved traffic service in the next couple of years.

In 2009, Google announced that it was tracking similar information on traffic congestion.

“When you choose to enable Google Maps with My Location, your phone sends anonymous bits of data back to Google describing how fast you’re moving. When we combine your speed with the speed of other phones on the road, across thousands of phones moving around a city at any given time, we can get a pretty good picture of live traffic conditions,” explained Dave Barth, product manager for Google Maps.

The root of the problem stems from a software bug that causes the phone to keep certain crowd-sourced data longer than necessary — creating the illusion that the phone is saving a historical log of user whereabouts.

“We don’t think the iPhone needs to store more than seven days of this data,” the company added.

Apple expects to release a fix in the next few weeks that will reduce storage of information. The software giant also plans to stop backing up the file from the iPhone to the user’s computer, a practice that raised concerns among security experts. Computers are much more vulnerable to remote hacking attempts than are phones.

The company also noted that future releases of its iOS software, the cache will be encrypted, adding a further layer of protection.

Written by David Frederick

April 27, 2011 at 1:15 PM

Apple & Surreptitious Data Capture Update 2

As I reported on this early this week, this topic is picking up greater steam, more alarming information is coming to light including the surreptitious capture of data by other “smart” phones and devices. Check out this article from the Wall Street Journal. As a huge Apple fan and heavily invested user and consumer of Apple products and services, this is deeply disturbing and disappointing.

-DF

Apple, Google Receive Phone Users’ Locations

By JULIA ANGWIN And JENNIFER VALENTINO-DEVRIES

Apple Inc.’s iPhones and Google Inc.’s Android smartphones regularly transmit their locations back to Apple and Google, respectively, according to data and documents analyzed by The Wall Street Journal—intensifying concerns over privacy and the widening trade in personal data.

Google and Apple are gathering location information as part of their race to build massive databases capable of pinpointing people’s locations via their cellphones. These databases could help them tap the $2.9 billion market for location-based services—expected to rise to $8.3 billion in 2014, according to research firm Gartner Inc.

In the case of Google, according to new research by security analyst Samy Kamkar, an HTC Android phone collected its location every few seconds and transmitted the data to Google at least several times an hour. It also transmitted the name, location and signal strength of any nearby Wi-Fi networks, as well as a unique phone identifier.

Google declined to comment on the findings.

Until last year, Google was collecting similar Wi-Fi data with its fleet of StreetView cars that map and photograph streets world-wide. The company shut down its StreetView Wi-Fi collection last year after it inadvertently collected e-mail addresses, passwords and other personal information from Wi-Fi networks. The data that Mr. Kamkar observed being transmitted on Android phones didn’t include such personal information.

Apple, meanwhile, says it “intermittently” collects location data, including GPS coordinates, of many iPhone users and nearby Wi-Fi networks and transmits that data to itself every 12 hours, according to a letter the company sent to U.S. Reps. Edward Markey (D-Mass.) and Joe Barton (R-Texas) last year. Apple didn’t respond to requests for comment.

The Google and Apple developments follow the Journal’s findings last year that some of the most popular smartphone apps use location data and other personal information even more aggressively than this—in some cases sharing it with third-party companies without the user’s consent or knowledge.

Apple this week separately has come under fire after researchers found that iPhones store unencrypted databases containing location information sometimes stretching back several months.

Google and Apple, the No. 1 and No.3 U.S. smartphone platforms respectively according to comScore Inc., previously have disclosed that they use location data, in part, to build giant databases of Internet WI-Fi hotspots. That data can be used to pinpoint the location of people using Wi-Fi connections.

Cellphones have many reasons to collect location information, which helps provide useful services like local-business lookups and social-networking features. Some location data can also help cellphone networks more efficiently route calls.

Google also has said it uses some of the data to build accurate traffic maps. A cellphone’s location data can provide details about, for instance, how fast traffic is moving along a stretch of highway.

The widespread collection of location information is the latest frontier in the booming market for personal data. Until recently, most data about people’s behavior has been collected from personal computers: That data generally can be tied to a city or a zip code, but it is tough to be more precise. The rise of Internet-enabled cellphones, however, allows the collection of user data tied with much more precision to specific locations.

This new form of tracking is raising questions from government officials and privacy advocates. On Wednesday, Rep. Markey sent a follow-up letter to Apple asking why the company is storing customer-location data on its phones.

“Apple needs to safeguard the personal location information of its users to ensure that an iPhone doesn’t become an iTrack,” Rep. Markey said in a statement.

Google previously has said that the Wi-Fi data it collects is anonymous and that it deletes the start and end points of every trip that it uses in its traffic maps. However, the data, provided to the Journal exclusively by Mr. Kamkar, contained a unique identifier tied to an individual’s phone.

Mr. Kamkar, 25 years old, has a controversial past. In 2005, when he was 19, he created a computer worm that caused MySpace to crash. He pled guilty to a felony charge of computer hacking in Los Angeles Superior Court, and agreed to not use a computer for three years. Since 2008, he has been doing independent computer security research and consulting. Last year, he developed the “evercookie”—a type of tracking file that is difficult to be removed from computers—as a way to highlight the privacy vulnerabilities in Web-browsing software.

The Journal hired an independent consultant, Ashkan Soltani, to review Mr. Kamkar’s findings regarding the Android device and its use of location data. Mr. Soltani confirmed Mr. Kamkar’s conclusions.

Transmission of location data raises questions about who has access to what could be sensitive information about location and movement of a phone user.

Federal prosecutors in New Jersey are investigating whether smartphone applications illegally obtained or transmitted information such as location without proper disclosures, the Journal reported in April, citing people familiar with the matter.

A spokeswoman for the Office of the Privacy Commissioner of Canada said the office “had concerns” about using cellphones to collect Wi-Fi data and has expressed those concerns to Google. “The whole issue of the tracking capabilities of new mobile devices raises significant privacy issues,” she said.

The business of collecting location information begain in 2003, when Boston-based Skyhook Inc. launched and began the practice of “wardriving”—cruising around in cars to collect information about Wi-Fi hotspots. Comparing the names and signal strengths of nearby Wi-Fi hotspots against a database allows for a cellphone’s location to be determined within 100 feet, in many cases, Skyhook says.

“For the first four or five years, people thought we were nuts,” said Ted Morgan, Skyhook’s founder and CEO. “We invented this whole concept of driving around and scanning for Wi-Fi and tuning these algorithms.”

In 2007, Google began building its own Wi-Fi database, using the StreetView cars. Last year, Apple switched from using Skyhook and began creating its own database of Wi-Fi points for use on its newest phones, although it still uses Skyhook data for older phones and Macintosh computers.

Skyhook’s Mr. Morgan says the company attempts to protect users’ privacy by collecting data via cellphone only when a person requests location from its servers—for instance when they are actively looking at a map. Each time a user requests location, the information is encrypted and gathered without any identifying user numbers, Mr. Morgan says. That means Skyhook can’t follow a person from one location to the next, he says.

Google seems to be taking a different approach, to judge from the data captured by Mr. Kamkar. Its location data appears to be transmitted regardless of whether an app is running, and is tied to the phone’s unique identifier.

In its letter to Congress last year, Apple said that it only collects location data from people who use apps that require location. It doesn’t specify how often a person must use the app for intermittent collection to occur.

Apple also said in the letter that it collects Wi-Fi and GPS information when the phone is searching for a cellular connection. Apple said the data it transmits about location aren’t associated with a unique device identifier, except for data related to its mobile advertising network

Apple gathers the data to help build a “database with known location information,” the letter says. “This information is batched and then encrypted and transmitted to Apple over a Wi-Fi Internet connection every twelve hours (or later if the device does not have Wi-Fi Internet access at that time),” the company wrote in the July letter to Congress.

The letter, which is available on Rep. Markey’s website, became newsworthy this week in light of findings from two researchers who uncovered a file on iPhones that keeps a record of where the phone has been and when it was there. The file is unencrypted and stored by default.

Researchers have found that Apple devices like the iPad and iPhone are logging user data like locations and time stamps. WSJ’s Jen Valentino-DeVries reports on digits.

The discovery of this location file touched off a furor among iPhone owners who could see for the first time a trove of location data about themselves stored on their phones. The researchers, Alasdair Allan and Pete Warden, said that they had no evidence that the file was being transmitted to Apple.

Write to Julia Angwin at julia.angwin@wsj.com

Written by David Frederick

April 21, 2011 at 8:26 PM

Update to the Apple tracking issue

Yesterday, I was ahead of the curve on this issue. Now everyone is picking up on it. Here are a couple of updates and one way to protect yourself.

First, to help protect yourself make sure you select the encrypt back up mode when you back up your device. The data is not normally encrypted; although users can encrypt their information when they sync their devices, few do. Make sure you do.

Ok, included here is an updated article from the NYT and CNBC.

– DF

Hidden Tracking Files Found in iPhone, iPad

Apple faced questions on Wednesday about the security of its iPhone and iPad after a report that the devices regularly record their locations in a hidden file. The report came from a technology conference in San Francisco, where two computer programmers presented research showing that the iPhone and 3G versions of the iPad began logging users’ locations a year ago, when Apple [AAPL  352.50    10.09  (+2.95%)   ] updated its mobile operating system.

After customers upgraded the software, a new hidden file began periodically storing location data, apparently gleaned from nearby cellphone towers and Wi-Fi networks, along with the time.

The data is stored on a person’s phone or iPad, but when the device is synced to a computer, the file is copied over to the hard drive, the programmers said. The data is not normally encrypted; although users can encrypt their information when they sync their devices, few do.

To some privacy advocates, the storing of the data was a clear breach.

“The secretive collection of location data crosses the privacy line,” said Marc Rotenberg, executive director of the Electronic Privacy Information Center, a privacy policy organization based in Washington.

“Apple should know better than to track iPhone users in this way.” Others said the discovery of the hidden file was unlikely to have a major practical impact on privacy and security.

“It is more symbolic than anything else,” said Tim O’Reilly, a longtime technology pundit and founder of O’Reilly Media. “It is one more sign of how devices are collecting data about us and potentially sharing it with others. This is the future. We have to figure out how to deal with it.”

Law enforcement officials can already get this type of location information from cellphone companies, Mr. O’Reilly said; there are, however, conflicting rulings in federal courts about whether they need a search warrant.

But sitting on a home computer, the data could now be more vulnerable to access by hackers or others, he said. And information about a person’s locations over time could be accessible to strangers if a phone or iPad was lost or if it was attacked by malware. (DF – Note: Like this never happens right?).

The news of what appeared to be a security problem immediately ricocheted across the Internet as bloggers on technology and Apple-centered sites debated the many questions left unanswered by the report.

It is unclear, for example, whether Apple is gaining access to the information in any way. It is also unclear how precise the location data is and why it is being stored at all.

The programmers said they had asked Apple’s product security team about their findings but did not receive a response. Apple also did not respond to a request for comment from The New York Times.

The report even attracted attention from political figures, like Senator Al Franken, Democrat of Minnesota, who sent Apple’s chief executive, Steven P. Jobs, a letter asking why Apple was “secretly compiling” the data and what it would be used for.

Some privacy experts said the issue was not the legality of storing this information but whether Apple was playing fair with its customers.

“Collecting this data is not illegal, but it does matter whether or not this is explicitly spelled out in Apple’s terms of use,” said Christina Gagnier, a lawyer specializing in privacy and copyright.

“Apple constantly changes their privacy policy, and it’s questionable whether most users are aware this is happening.”

Apple has an obligation to its customers to allow them to opt out of being tracked, said Ian Glazer of Gartner Research, who is a director in the company’s identity and privacy group.

“There is no way to really turn this tracking off,” he said. “It needs to be visually obvious, or in the settings, to see that this is happening on your phone.”

Alasdair Allan and Pete Warden presented the paper at the O’Reilly Where 2.0 conference, a gathering of experts on location technology.

Mr. Allan said in a blog post that beyond the issue of storing the information is the question of “how Apple intends to use it — or not.”

Mr. Allan, who has written books that teach people how to program, also said that the data being collected would be transferred to a new product when customers buy a new phone or iPad, and then sync it.

Mr. Warden, a former Apple employee, posted a free downloadable application on his Web site for Mac computers that allows users to see their stored location data on a map.

Whatever the privacy implications, the report was a burst of bad publicity for Apple on a day when it again reported stellar earnings results.

“It doesn’t matter how Apple explains its way out of this, just the fact that consumers know that their phone is being tracked is a very big deal,” said Chenxi Wang, a vice president of Forrester Research who specializes in security and risk.

Miguel Helft and John Markoff contributed reporting.

More from CNBC.com

Written by David Frederick

April 21, 2011 at 10:16 AM

iPhone and Apple Devices Keeps Track of Everywhere You Go

You know, I love my iPhone 4. I think it is the best “micro mac” with a phone ever made. I also think it’s the best “smart phone” made. I have been an early adopter of the iPhone series starting with the original iPhone. I am also a huge fan and proponent of Apple products in general. But sometimes, technology can get a little creepy. Even for Apple.

UK security researchers Alasdair Allan and Peter Warden recently uncovered the fact that Apple’s iPhone, iPod Touch and iPad (Anything running iOS 4) keeps track of where you go – and saves every detail of it to a secret file on the device which is then copied to the owner’s computer when the two are synchronized.

The file contains the latitude and longitude of the device’s recorded coordinates along with a time stamp, meaning that anyone who stole the device or the computer could discover details about the owner’s movements using a simple program. Note – Owner could also be your company or IT department. Yikes!

For some phones, there could be almost a year’s worth of data stored, as the recording of data seems to have started with Apple’s iOS 4 update to the devices operating system, released in June 2010. Of course no one at Apple is commenting on this. My guess is this, Apple is going to use this data for upcoming features and apps focused around Apple’s iAd platform and potentially apps based on travel and location-based solutions. Just a guess. I truly do not believe Apple is personally interested in where you go i.e. big brother. But the fact that the device is capturing the data without you, the user knowing it, nor giving you the opportunity to opt out, is rather sneaky and down right dangerous. Particularly around privacy issues. Not cool Apple!

There used to be a time when everyone referred to Microsoft as the evil empire. I now hear whispers of the same in regards to Apple and Google. As technology becomes more advanced and ubiquitous, our personal data which is centralized and stored remotely by numerous devices, the capturing, leveraging and control of PII – Personally Identifiable Information – will be king. It will be harvested for everything from security to marketing. Personal privacy will be gone. The willing and unwilling divulging of your personal information without your consent is now the price of admission to use technology. It’s not right or probably even legal, but there it is.

Want to see what Apple is capturing in regards to your little jaunts and visitations? I hope you haven’t been naughty as private investigators, nosy bosses, bored IT guys, disgruntled spouses, thugs, the government, etc. can now see every single place you have ever been, what time you were there, how long you there, plot it with Longitude and Latitude, etc. presuming of course you had your Apple device with you. You can download an app from the gents Allan and Warden at their website – click here…..  to actually see the data Apple is capturing and it will show you your places of visitation.

You can also view their FAQ’s on this issue. Finally, if you want to read more about this, you can check out an interesting article from the UK Paper The Guardian on this very topic here.

Now I need to get back to my iPhone. Oh, ironically….. Android phones don’t seem to have this embedded “feature” in their system according to Allan and Warden who meticulously checked. Maybe I will wait before I get an iPhone 5.

-DF

Written by David Frederick

April 20, 2011 at 11:49 AM